[asterisk-biz] A hacker attack on asterisk

Rehan,

Asterisk is likely looking at the sip headers for IP authentication and not
the actual IP headers. SIP headers can be spoofed, but I don't believe they
can spoof the IP packets and still have it routed properly to this customer
unless they are on the same network. If the customer does a packet capture
(tcpdump tethereal etc) they should see the ip and sip headers do not match
on those calls. They could use IP tables or some other ACL to block the
hackers.

Andy Day
Velocity Networks / IP Telesis
801-783-5105
www.vel.net

Date: Fri, 4 Sep 2009 22:59:48 +0800
From: Rehan Ahmed Allahwala <rehan@supertec.com>
Subject: [asterisk-biz] A hacker attack on asterisk
To: Commercial and Business-Oriented Asterisk Discussion
<asterisk-biz@lists.digium.com>
Message-ID:
<865f01c80909040759g88af260kb8f6065b3b53417c@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

We have a customer who is facing this problem.

There gateway asterisk to the termination side is being attacked by the
hacker.

The gateway asterisk is using ip based authentication, and also iax user
name and password.

The hacker is somehow able to send out the call out via the gateway
asterisk, faking the ip address.

The FULL log does not show any trace of the call or the number which is
being called in the NODE Asterisk of which ip is being used, however the log
of the GATEWAY Asterisk shows that the call was made from the IP of the NODE
asterisk.

Any suggestions, what they can use to do a further authentication for this
particular customer ?

Rehan

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

AstriCon 2009 - October 13 - 15 Phoenix, Arizona
Register Now: http://www.astricon.net

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz