How to React when 3CX Phone System is Under Attack

What steps should you take if your 3CX Phone System is being attacked by a hacker?This is a guest post from 3CX Premium Partner, Charles Ambrosecchia of SigmaVoIP. In this article, Charles explains how to combat any attacks on your 3CX Phone System server.

What should you do if someone attempts to hack your 3CX Phone System installation? A hacker will attempt to use your system to make calls to remote numbers (basically allowing the hacker to make calls and passing the bill over to you), or, worse still, to premium services (which charge very high rates for the call, and also pass a portion of the profits back to the hacker). The best course of action is to secure your system by limiting access to port 5060. This port should be used exclusively by your SIP trunk providers. However, there are instances when remote users need to access the server but can’t because they’re unable to use the 3CX Tunnel from a dynamic public IP address.

Currently, remote users with 3CX Phone for Android, 3CX Phone for Windows, or 3CX SIP Proxy Manager (mobile phone, laptop or desk phone access to the PBX from outside the premises) can take advantage of the 3CX Tunnel protocol but some platforms cannot yet do so (systems that are not running Windows or Android as an Operating System, and some desk phones that are incompatible with the 3CX Tunnel Protocol).

3CX Phone System does a terrific job at reacting quickly to excessive login failures and you should always enable notifications, so that the system administrator receives an email alert that some remote entity has made too many failed attempts to authenticate. This alone will prevent a hacker from using your system to make unauthorized calls. The hacker may, however, attempt to cause disruption of quality or a total denial of service (DoS) –  they can keep on bombarding your server with requests that could still overwhelm your Internet Ingress and cause a CPU overload on your router. Dropping the fraudulent packets on the WAN side of your router will not help you because the ISP will still allow as much traffic as possible to traverse their backbone and saturate your line. The guidelines below will help you minimize the impact of this and any potential financial losses. Best of all, with your help, law enforcement can prosecute the offenders.

Gathering Evidence of a Hack Attempt

Ensure that you have Wireshark installed on your 3CX Server (http://www.wireshark.org/) and begin by capturing up to one minute of traffic. By filtering SIP traffic, you will be able to see all the fraudulent INVITE requests. Make sure that the originating IP and user ID are not those of a real user that happens to have a bad PIN or Authentication Password. Save this capture for later use. Please be aware that the capture may contain real user ID’s and passwords.

Now go to http://www.arin.net and paste the offending IP address in the search box on the top right. The search will show you whom the IP address is assigned to. Half way down the page (if this is a US address) find the Function table and click on the Abuse point of contact. Please report the offender, both via email and by calling their Network Abuse department or the NOC (Network Operation Center). Be specific and provide the IP address and the port (usually 5060). If this is a non-US IP address, the results will point you to the WHOIS database that serves that particular IP space. apnic.net covers the Asia Pacific region, while ripe.net serves Europe.

At this point you can configure your router to drop those packets if you want to prevent them from crossing your router NAT but 3CX does the same exact thing by blacklisting the IP Address.

In most cases, the offender is either in a different state (if in the USA) or from another country. If your server is in the USA, take a moment to fill out the form located at http://www.ic3.gov/complaint/default.aspx and call your local FBI office to file a complaint. Once an FBI Special Agent is assigned to your case, provide them with the Wireshark trace.

If the perpetrator continues to attack your system, it is likely that they are attempting to cause a DoS. Contact your ISP and ask them to drop all packets from the offending IP addresses, which they’ll do from their core routers. Some ISP’s will do this for you, whilst others may not have a clue what you’re asking them to do – you will need to be persistent and explain what you mean.

If the FBI takes on your case (and the Wireshark trace helps them a great deal in investigating, prosecuting and convicting), you will, in most cases, be included in the Victims Registry. This will allow the FBI to keep in touch with you and provide you with timely updates on your case.

Please note that in some cases the offender may switch the IP address from which the attack originates. If they do, you will need to start this process again. If the IP address happens to be within your state, you should also contact your State and Local police departments. Unfortunately, small police departments have detectives that may not be experienced in pursuing this type of crime, therefore, following the suggestions above will help.

More sophisticated hackers use compromised high power servers in Data Centers and all responsible operators will terminate the attack quickly. Make sure you have strong PIN numbers, Authentication IDs, and Authentication Passwords, that none of this information is common within one extension, that none of this information is common with other extensions, and that you never specify the extension number to also be a PIN or Authentication ID or Authentication Password. Failure to do so makes it easier for attackers to cause damage.

  1. Utpal

    indeed at very helpful information, thanks for sharing

    April 4, 2012 at 1:38 pm
  2. Bruce G. Kreeger

    Charles has done an excellent job in presenting this issue very clearly and precisely. Thank you

    April 5, 2012 at 9:30 pm
  3. Nick-Aust

    Thanks for the info, i run a small home 3cx server at home and have been getting sip dos attacked from different ip’s for over 4 months. Letting your ISP know straight away and by also having a Wireshark or another traffic analyzer (i use Netflow) can assist in getting the ip blocked by there Boarder Routers. You just really need to keep on top of your sip traffic and report any attacks straight away, plus also strongly secure your 3cx server

    April 10, 2012 at 2:08 pm