Asterisk defense or the Cuban epidemic
Recently, a large wave of Asterisk hacks has begun, followed by the passage of traffic through them to Cuba.
Since a minute of call per cubic meter costs on average from $ 1 per minute, this can lead to sad consequences (for 17 hours on one of the trunks the balance was lowered to -8000 $).
The scheme works like this:
If you buy access to such a system and make a call, you can understand by a delay before the beep that a huge number of hacked Asterisk servers are involved in this scheme.
When selecting peers, the method implemented in Sipvicious is used . Peers are scanned for scanning and the Asterisk response is analyzed. For example: To promote this, you need to include the alwaysauthreject directive in sip.conf, which responds to 401 Unauthorized for any authorization errors. After that, the same server, when trying to scan, will respond 401 and the utility will give an error:
If your subscribers are not going to call the cube, then it must be closed in extensions.conf
For example: You can of course just do Hangup right away, but this action will require you to disconnect our server from the automatic system manually, which is good news. PS To check that you correctly registered the rejection of calls to the cube, you can try to call +53997970. This is a military base and there is always an answering machine.
Since a minute of call per cubic meter costs on average from $ 1 per minute, this can lead to sad consequences (for 17 hours on one of the trunks the balance was lowered to -8000 $).
The scheme works like this:
- Asterisk server is searched on the network
- The list of his feasts is selected
- Peers passwords are selected
- The account is put into the system sorting trunks when making a call.
- A lot of Cubans are calling through this system.
If you buy access to such a system and make a call, you can understand by a delay before the beep that a huge number of hacked Asterisk servers are involved in this scheme.
Peer selection
When selecting peers, the method implemented in Sipvicious is used . Peers are scanned for scanning and the Asterisk response is analyzed. For example: To promote this, you need to include the alwaysauthreject directive in sip.conf, which responds to 401 Unauthorized for any authorization errors. After that, the same server, when trying to scan, will respond 401 and the utility will give an error:
./svwar.py sip.somewhere
| Extension | Authentication |
-------------------------------
| 607 | reqauth |
| 606 | reqauth |
| 601 | reqauth |
| 600 | reqauth |
| 300 | reqauth |
| 900 | reqauth |
| 100 | reqauth |
./svwar.py sip.somewhere
ERROR:TakeASip:SIP server replied with an authentication request for an unknown extension. Set --force to force a scan.
WARNING:root:found nothing
Cuban problem
If your subscribers are not going to call the cube, then it must be closed in extensions.conf
For example: You can of course just do Hangup right away, but this action will require you to disconnect our server from the automatic system manually, which is good news. PS To check that you correctly registered the rejection of calls to the cube, you can try to call +53997970. This is a military base and there is always an answering machine.
;cuba
exten => _53.,1,Answer()
exten => _53.,n,PlayBack(vm-goodbye)
exten => _53.,n,Hangup()
;somali
exten => _252.,1,Answer()
exten => _252.,n,PlayBack(vm-goodbye)
exten => _252.,n,Hangup()