ROBO Calls!!!!!!!!

Robo Calls for Hell

We recently encountered a very problematic issue of malicious SIP SPAM attacks on our phone system. 

Explantion of the issue

So, our receptionist started to receive what appeared to be calls from interal extensions. However, these extension were bizarre and did not match our interal scheme. They were a variety of different extensions that varied in length but some examples were 2001, 9999, 2222, 1111, etc…These calls most of the time would come in every 5 minutes or so. The worst day was a call every 30 seconds. And when you answered the phone it would be dead air!!!! This had been going on at least 7 months to a year before my arrival and the only solution up until that point was rebooting the Comcast modem. L-O-L…Needless to say this was unacceptable and very frustrating for our users. My first step was to understand how the call routing worked. This is where things got interesting. Through talking with others in my IT department, I discovered there was just a comcast modem the phone system was connected to and in addition that, the phone system had a public IP directly assigned to it…(of all the nonsense possible). So attackers were scanning for public IPs that would respond on certain ports and lucky enough they found our dinky Comcast modem/Phone System and off they went. 

More Solutions More Problems

My first step was to break out Wireshark and see what was going on exactly. So I mirrored the ports of the reception phones first. Then I mirrored ports to the phone system. This is where I went further down the rabbit hole. When examining the Wireshark captures, I was able to see the IPs these extensions were coming from. So I took this info to ARIN, and found the owners of the public IPs and put in abuse complaints, which seem to at least kind of work. Also, I had the though of using ACLs on the switch side. This helpful for a little while. The attackers found a way around the ACL since the only block inbound traffic. I am still trying to unpack how they were able to subvert it. Generally speaking, they were spoofing IP addresses in the SIP header with a valid packet and the phone system responded to that I believe. Not 100% on that but that was not my mission. This is where that 30 second call day happened. At that point I felt bested by these hackers…I knew all along the best solution was a firewall but finding one available was a bit of a task. Finally, I was able to use a spare we had available. This worked like a freaking charm. We have been at peace ever since. 

Happy Networking!