Security Troubles

Discussion in '3CX Phone System - General' started by A.burton, Mar 6, 2012.

Thread Status:
Not open for further replies.
  1. A.burton

    Oct 1, 2011
    Likes Received:
    Since around December 31 when the office was closed there has been an massive increase in our data download pattern. Some 40GB over our normal usage. We were hit with massive excess fees. On examination of 5 minute data poling from our provider we noticed large blocks being downloaded. Sometimes it would last for 2 days at full download speed and sometimes just a couple of hours. Sometimes someone was in the office and sometimes not. Sometimes a whole week would go by without any extra data. Virus scans showed nothing. The only device on during some occasions was the 3cx server. I was nearly at my wits end to track this down as wireshark cant be left running for long periods (it would seem). However, today I noticed the internet light running hot on my modem and so I ran a wireshark capture on the 3cx server. I was surprised to see 1000's of sip register request coming in each second from one particular ip address. In as little as 6 minutes 25mb worth of requests were downloaded from this pleb. Thats where our data was going. When I added him to our firewall exclusion and tried to log the hits, my modem kept crashing due to the ferocity of the attack. I telephoned telstra business and they promptly escalated to level three and since have blocked him (i think).

    Now for the interesting bit:

    Around December 31, I received an email about this particular ip address saying 3cx had added to blacklist for 9999999 seconds as number of requests exceeded....... and indeed it was in the blacklist. So my question is if this guy was blacklisted, why does he keep trying? Was he maybe bypassing the blacklist. There was no evidence in the log to say he had tried again. How on earth do I stop this kind of activity? My voip provider seems reluctant to provide me with a list of ip addresses that I can allow through on port 5060. What does everyone else do? Does everyone leave the 5060 port open for anyone and deal with intrusions at the 3cx server level. Has my 3cx server been compromised in some way to allow for requests? How can i tell?
  2. VDiesel

    Jul 30, 2010
    Likes Received:
    It's not really a 3CX related issue, but more of security & networking topic.
    In this case you're dealing with automatic scripts that scan vast networks looking for open SIP ports to exploit and once the script gets an initial reply it relentlessly hammers your SIP port with various user credentials. It's really no different than someone sending you an ICMP ping flood. If your perimeter firewall replies to ICMPs, your data usage will quickly escalate by responding to each request.

    You have a couple of options.
    1. Close port 5060 at the router/firewall (ie do not forward to 3CX) and limit external connections only to the tunnel on 5090.
    This works, but can cause some issues with certain SIP providers that don't handle NAT traversal very well.

    When port 5060 is unconditionally forwarded at the firewall to 3CX, each time that port is probed 3CX checks the credentials received. If valid, a registration is permitted, if not it replies with a 'failed bad auth' and keeps doing this until the security threshold is reached, then bans the offending IP for x seconds. At that point, it's too late. By now the attacking script is already aware that it received a reply from 5060 and will continue its attack.

    2. Use your perimeter firewall more effectively by allowing external port 5060 to be forwarded to 3CX at the firewall level only if specific conditions are met, and otherwise drop the packet entirely.

    Some examples of these conditions;
    a. External FQDN declared in 3CX that users point when connecting from remote locations. (ie.
    b. IP address of your SIP trunk provider

    Otherwise all other external packets to 5060 will simply be dropped in silence without any reply. A script will never know your FQDN, it just scans networks blindly for open ports. Since your firewall now doesn't allow any reply to a blind probe, the scan moves on and considers 5060 as closed or non-existent.

    In general, relying on an internal service to protect itself is never a good idea. That's a function of your firewall. It just needs to be told what to allow and what to ignore.

    Good luck.
Thread Status:
Not open for further replies.