3CX Phone System Withstands Massive Online Attack

3CX Phone System thwarted an attempted Denial of Service attackHow robust will 3CX Phone System prove to be when handling a Denial of Service (DoS) attack or an Intrusion Attempt?

If you have asked yourself this question before, then it means that you are thinking in the right way – trying to foresee the potential problems, and evaluate the solidity of your solution.

One of 3CX’s foremost resellers in the USA has, however, saved you the need to perform stress tests on your system to find out whether the solution can withstand a DoS attack or beat off a hacker.

3CX Premium Partner, Charles Ambrosecchia of Sigma Networks, reports that their Network Operations Center was the subject of an intense attack from an IP Address inside Germany for 17 continuous hours, with data rates peaking at over 5Mbps to a single 3CX Phone System installation.

Charles stated that 3CX Phone System performed admirably by rejecting the initial attempts at registration with incorrect forged credentials (essentially a brute force attack). Shortly thereafter, 3CX Phone System automatically classified the source of the attack as a potentially malignant entity and added it to its dynamic blacklist. Once an entity is in the blacklist, all requests it sends to 3CX Phone System are quietly ignored. This behaviour provides 2 benefits.

The first benefit is that by simply ignoring the request rather than responding with a “rejected” message, it saves on outgoing bandwidth. A DoS attack can very quickly consume bandwidth, but if each request has to be responded to with a reject message of some sort, it means that (typically) as the intensity of the DoS attack increases, the outbound traffic generated by the target grows. But since outbound bandwidth available on internet connections is, in most cases, asynchronous (download bandwidth available is much more than the upload bandwidth), it is very possible for the internet connection’s upload bandwidth to be maxed out, making the internet connection practically unusable. Simply ignoring the requests very elegantly sidesteps this part of the problem.

The second benefit is that it completely nullifies a brute force hack attempt. A hacker sends requests with credentials generated by going through all possible permutations, and then farms the responses to understand which credentials have already been tried and rejected. In this case, however, simply ignoring the request takes away the one thing which the hacker needs to make progress – a response to indicate the validity or otherwise of the set of credentials provided within each request.

Charles also pointed out that, even though it sounds obvious, admins should be reminded that once an entity gets blacklisted, one should take advantage of this information and simply block the traffic at the source, e.g. your firewall.

  1. Thank you Charles for sharing this valueable information. Great job thanks!

    March 2, 2012 at 6:23 pm
  2. Graham Hill

    Great feedback thank you … I have seen the development of the security suite in 3CX (from practically zero in version 7!), and have heard the theory about how it does its job, but to get a real-world view is very valuable.

    I do see several e-mails on a daily basis indicating that mine, and my customer’s 3CX systems have locked out a bogus registration attempt, so that too tells me it’s working.

    Well done 3CX …

    March 2, 2012 at 6:56 pm
  3. jack joshlin

    Shortly after installing 3cx v9 an ip from Rice university tryied a brute force. I looked up their security team gave them a call and with 30 mins they killed the ip’s outbound traffic.

    March 2, 2012 at 7:08 pm
  4. @Jack – I recommend upgrading to v10. It has much better hacker protection. Staying on v9 is false economy :)

    March 5, 2012 at 5:41 pm
  5. I’m guessing it’s the same IP address in Germany that was attempting a denial of service attack on my 3cx phone system in the last week of February, 4 days in total.
    I only had to deal with 1Mbps in requests…. But on a 1.5mps T1, it caused a few quality issues.

    3CX was never broken.

    If someone finds the guys responsible…. Please land one or two for me.

    Mat

    March 3, 2012 at 8:29 am
  6. I have seen similar sustained attacks on customers 3CX systems originating from USA,Germany,Palestine,Switzerland, China etc. to the extent that the hack attempts have maxed out the data allowance. 3CX has never let me down when it comes to denying access to these attempts. Like Charles points out, once I have received an email alert to a hack attempt I set up firewall rules and block the entire i.p. range that the hack has originated from. You can enter a single i.p. address at http://software77.net/geo-ip/ and discover the country of origin and the range that it belongs to.

    Chris
    The VoIP Centre

    March 5, 2012 at 9:44 pm
  7. Thanks for the heads up Chris!

    March 5, 2012 at 9:58 pm
  8. We have had such an attack I think at the start of V9 originating from a Canadian IP. The server was handeling it pretty well. To be honoust we noticed nothing in the 2 days it happend, untill the C disk on the phone system was stuffed with log files (think verbose was on, so that was our own fault).

    Anyways, the hacker was not able to get in. We are about to upgrade to V10 which has more security params as Nick advices.

    March 7, 2012 at 10:44 pm
  9. Pingback: 3CX Phone System Withstands Massive Online Attack » Bulldog Data Services - Making IT Simple

  10. Matt Cook

    We have had weekly hacking attempts since we installed our 3CX. How do these hackers know about our system? Anyhow, we were hacked on New Years at midnight and luckily Cox our provider cut them off 5 hours later but not after a $1000+ bill!!! What did we learn?
    -Passwords must be strong – we had one easy one and it cost us.
    – Adjust your advanced settings to limit failed attempts (ours is now 4)and automatically blacklist IP
    – Adjust your advanced settings for data through one connection/user – limited to enough data for 4 lines worth of IP traffic.
    – Learned that even though you may have a 3CX license for 8 or 16 lines, somehow the hackers can use all your lines and in my case it was the full T1/PRI line of 24 continuous lines.
    – Did a IP trace and email hosting company about attack from their IP range.

    March 20, 2012 at 2:28 am
  11. We have just moved to a new site, and my collegues misconfigured the firewall which left port 5060 wide open. Like Matt says, we learned the lessons.

    Its verry important to set the passwords to strong! We had several PSTN + bridge lines with the same passwords as usernames IE: 10000:10000 (auto generated by 3cX, maybe this should be change by default in the system to random created passwords (we are @ v9 maybe this already changed in V10?)). So that was a wide open door for hackers from the GAZA.

    Costs way above $2000,- eventually our TELCO blocked international calls and fortunatly due to a temporary internet line our VOIP lines where disabled, else the costs would have rised even more!

    March 28, 2012 at 5:07 pm
  12. Kevin

    @Patrick – V10 takes great steps forwards on the security front. Indeed, V10 automatically randomizes passwords for any entity upon creation.

    April 3, 2012 at 7:47 pm