Guest ddenara Report post Posted 10/06/2012 11:46 AM My VG with Callcentric has been working for nearly a year. They had a security problem and posted this message below. In my config file, I changed the RegServer from callcentric.com to srv.callcentric.com and my phone registered. Unfortunately, I cannot make outbound calls and the quality of the incoming calls isn't working properly. I have attached a winshark trace of the registration and one call attempt. Also I attached the ktel and vgengine log files. It appears periodically there is a proxy 407 request. In my outbound dialing I use an xml file. And I sest the following callerid option. <CallOptions><CallerID>17772509325@callcentric.com</CallerID></CallOptions> Here is my config file: <VoIP_Registrations> <VoIP_Registration> <Display>CallCentric (www.callcentric.com) </Display> <Protocol>SIP</Protocol> <RegServer>srv.callcentric.com</RegServer> <RegClient>17772509325@callcentric.com</RegClient> <LocalAlias>17772509325@192.168.1.133</LocalAlias> <Expires>600</Expires> </VoIP_Registration> </VoIP_Registrations> <VoIP_Authentications> <VoIP_Authentication> <Display>CallCentric</Display> <Realm>callcentric.com</Realm> <Domain>callcentric.com</Domain> <Identity></Identity> <AuthUsername>17772509325</AuthUsername> <AuthPassword>removedbyme</AuthPassword> </VoIP_Authentication> </VoIP_Authentications> Investigation into current problems: Hello, For the past two days we have been experiencing a sophisticated type of attack. As soon we noticed the first attempt we commenced an immediate physical upgrade to all of our servers increasing capacity and CPU power by a factor of four in addition to other precautions. Unfortunately even though this is similar to a "typical" DDoS attack it is targeted specifically at the SIP protocol and causes server load to increase to 100% within 1 minute of initiation. As such, standard and extraordinary prevention measures were unable to prevent it. We do not know the specific methodology of the attack but are aware that it is *similar* in effect to a DNS TRASH flood attack. We are performing forensic analysis on the data we have and are capturing traffic to find an exact reason and solution. We would like to clarify that there was no intrusion into our network and all of our servers switches and internet connections have been functioning *normally* throughout the entirety of this concern. None of our equipment or interlinks were disconnected or went down. Additionally please note that all of your information is encrypted, safe and secure; and that NO customer data was stolen NOR destroyed. We have been working as aggressively as possible throughout the day/night and we have found a short term work-around which will provide immediate relief and allow calls to function normally. This will require updating your configuration slightly. Please re-configure your software/hardware with the following information: *UPDATED* Your registrar and Domain should remain as is: callcentric.com Outbound proxy: sip.callcentric.com - For clients *ONLY* able to use A records srv.callcentric.com - For clients able to use DNS SRV bypass.callcentric.com - For clients able to use DNS SRV *UPDATED* Asterisk users need the following: host = sip.callcentric.com OR srv.callcentric.com outboundproxy = sip.callcentric.com OR srv.callcentric register => 1777MYCCID:SUPERSECRET@sip.callcentric.com OR 1777MYCCID:SUPERSECRET@srv.callcentric.com *UPDATED* 3CX users need the following: Outbound proxy hostname or IP: sip.callcentric.com Outbound proxy port (default is 5060): 5060 *UPDATED* PAP2/Linksys/Cisco users should be logged into their device in admin/advanced mode and use the following settings: Proxy - Enter callcentric.com in this field Outbound Proxy - Enter srv.callcentric.com in this field Use Outbound Proxy - yes Use DNS SRV - yes DNS SRV Auto Prefix - yes *UPDATED* ***OBITALK Users need to enter OBI EXPERT CONFIGURATION FOR THESE SETTINGS*** Obihai users please make sure the following is configured: Service Providers > ITSP Profile > SIP ProxyServer: callcentric.com RegistrarServer: srv.callcentric.com UserAgentDomain: callcentric.com OutboundProxy: srv.callcentric.com X_ProxyServerRedundancy: Checked Please update this information as soon as possible to restore your calling ability and make sure to *REBOOT* or *RESTART* your device or software. We have experienced attempted *unsuccessful* attacks in the past and have made changes in real-time to stop them as well as to prevent future similar attacks. Many of our security documentation guidelines and features have been geared towards these changes. Unfortunately this is an entirely new type of attack, the mechanics of which are still coming to light. We sincerely apologize for the inconvenience this has caused. We are committed to further protecting our network and for this reason we will continue working with our engineers to implement a proper solution to provide a comprehensive resolution. If you have any questions/concerns regarding this message or if you need assistance in updating your configuration our Support Staff are available to answer your questions in as timely a manner as possible. Upon achieving a resolution, we will be providing as detailed an explanation as possible regarding this issue as well as the resolution. Again, we sincerely apologize for any inconvenience that you have experienced as a result of this matter and we appreciate your understanding during this process. Callcentric Winshark Trace.zip 1006_ktTel.zip 1006_0737_vgEngine.zip Share this post Link to post
SupportTeam Report post Posted 10/06/2012 11:28 PM WireShark traces show that when placing outbound calls, the number dialed was: 17772509325@callcentric.com Have you tried using 17772509325@srv.callcentric.com or 17772509325@sip.callcentric.com as per the message from CallCentric? Ultimately this is really a question for your SIP provider (CallCentric). Thus should advise you what is the domain through which the call should be placed. WireShark traces also show that when VoiceGuide issues the REGISTER requests the responses from your SIP provider (CallCentric) take a longer time then expected to arrive, but they do eventually arrive. Guess that must be cased by this DDoS-style attack that their message refers to. Internet based SIP providers are susceptible to internet launched attacks like these (like internet accessible websites/services etc). Traditional telephone lines and T1/E1 trunks do not have these issues. Share this post Link to post