OCOM/Palladion monitors all traffic to everyone our servers which gives us the ability to keep a counter of every failed 404 registration attempt. Therefore, a threshold is set and when failed registrations trigger the alert and email is sent to us with the minute window in which the behavior occurred. Brute Force Attacking is one of the most common fraud attempting methods you will see with this kind of alert. A secondary email may also be sent after if the current value within a minute of failed registrations falls under the alerting threshold. HOWEVER, INVESTIGATION SHOULD STILL BE DONE AND SHARED AND DOCUMENTED IN THE TICKET

Timeliness is essential when dealing with this is alert and that is mainly due to the attacking method. With Brute Force Attacking the hacker is trying random User IDs and failing in a big burst of attempts and happening fast. Meaning that the User IDs that are trying to register, are not found on that respective server. It can be due to typos in the User ID field, registrations sent to the wrong server, or the user seat not existing anymore on the server that it is registering to.

But what happens if the hacker does happen to guess the right User ID on the right server? That’s when 403 Failed attempts start to happen; Authentication Failures. The Broadsoft platforms all have lockout system that triggers when a device that is trying to register against it, SIP Authentication Password does not match what is set in its database when its threshold is met. Please review the article to understand the lockout process: Broadsoft SIP Authentication Lockouts. The line is placed out of service and URL CALLING IS DISABLED is displayed on the phone for users. Entire locations of an Enterprise get locked out if not caught and it gets to this point. It has happened before.

How are the alerts sent?

High 404 alerts are sent to us via email from the address palladion@evolveip.net.

Example Email Alert

In this alert we can see in the Subject Reoccurring Alert Digest (2020-02-06 07:02:51 – 2020-02-08 11:17:56), giving the time window of the amount of earliest and latest alert. In the body we can see that the threshold is set at 600 and the Value monitored with within the minute window is 884. The minute window being 11:16:00 and 11:16:59 (EST). Keep in mind you may see other times in the same email, as this tool keeps a record keeps a record that can range over a couple days.

Step 1: Filter OCOM/Palladion for 404 Alerts

  • When beginning your troubleshooting you will need to log into OCOM/Paladion and navigate to the Registrations tab on the left windowpane. When the list loads it is showing you every registration attempt happening at the point of your search sorting from latest to oldest. You need to first filter the Code by the value = 404, now the list will show all 404 registration attempts.

  • Next you will need to filter the time to the latest minute mark indicated in the alert, in this case in our example it will be 11:16:59.

Step 2: The 5 Indicators to Key in on

  • The User: You should know by now what our User IDs look like. So, seeing 3,4, or 5-digit strings trying to register; a clear giveaway since we provision our devices with full digit strings.

  • Contact Field: A normal registration field for devices on our platform tends to look sip:[User ID]@[IP Address]. Seeing anything like R-Instance should be investigated as that can potentially be fraudulent.

  • User Agent: To see the User Agent you will need to open up one of the registration attempts and expand on the Register We have a confluence article on the different Fraud User Agent https://support.evolveip.net/display/VE/Fraudulent+UAs. The list is: portsip|SIPVicious|friendly-scanner|SIPScan| Smap| Sipsak| Sipcli| Sivus| Protos|Gulp|Sipv|Sundayddr|eyeBeam|VaxIPUserAgent|sipArmyKnife|Viproy|Ozeki. However, two new common ones are Asterisk PBX and Polycom v11. These are fraudulent.

  • Source IP: If you can key in on any of the 3 behaviors listed above and/or cycle through the pages and can see a common IP address in the attempts, now set a filter for that. Try searching in Nagios and Edgeview for that IP and see if its an Edgewater there because if it is chances are it is not fraud. Investigate that IP address at https://arin.net and see how the ISP/Organization is that is responsible. If the IP address is not registered in the American Registry it will tell you to go to the correct continental registry (Ex. https://Ripe.net). So, if you see an IP address from France or the Netherlands trying to register US based phone numbers that is an indicator.

  • Destination IP: All of our are different platform server domain resolve to a certain IP address, if you don’t know just open up command prompt on your computer and ping voip-[PLATFORM].evolveip.net and you will see what it resolves out to.

    1. A Platform: [64.27.39.162] & [199.66.103.36]

    2. B Platform: [64.27.39.168]

    3. C Platform/East02.voip.evolveip.net: [64.27.39.168]

    4. C Platform/West01.voip.evolveip.net: [199.66.103.37]

    5. D Platform/East04.voip.evolveip.net: [64.27.39.177]

    6. E Platform (International Platform): [52.56.55.11]

    7. F Platform: [64.27.39.114]

  • So, if you see registration attempt to an address other than these key in on it and investigate. You can check Solarwinds (http://10.32.32.57/Orion/Login.aspx Creds: Support/Revolve989!) and search and find what our different public and private IPs are assigned to.

Step 3: Providing your findings

When finished find the original email in which the alert came in on and reply all, be sure to be replying from our personal email as some people may have filtering enabled for emails that come from Support@evolveip.net. Also be sure to include the ticket number in the subject line so it can be tracked and logged into the ticket. Include any PCAPS or screenshots of what you have found as evidence or if you need some assistance understanding. IF you think the alert is fraudulent engage Voice Engineering to confirm your findings; meaning if the alert is after hours you are to call the Voice Engineering on call. Once they confirm your findings get the approval response in an email to proceed with now engaging DE to block unless they advise you, they will handle that. If the registration attempts are stopped blocking it may not be deemed necessary.

An example of how a reply should look. Please keep in mind all fraud is different and your investigation into the matter may not be as simple:

Step 4: Closing out the Ticket

After you get the confirmation to block or not then resolve the ticket out. Lastly, like the other fraud alerts just because it has fired off does not mean it is always fraud. In some cases, it may just be something as simple as a location being unprovisioned and all the phones are still plugged and trying to register from a site. We should still act and reach out to the customer letting them know they will need to unplug the devices

  • No labels