Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

VoIP Fraud Analysis

1.086 Aufrufe

Veröffentlicht am

Simon Woodhead, founder & CEO of Simwood, presenting the company's research and solutions to VoIP Fraud. Simwood is a UK based wholesale telecommunications provider. See https://www.simwood.com for more information or to get your copy of the full Simwood VoIP Fraud Analysis whitepaper, go to http://blog.simwood.com/2014/02/voip-fraud-analysis/

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

VoIP Fraud Analysis

  1. 1. Simon Woodhead Managing Director
 simon.woodhead@simwood.com Simwood eSMS Limited https://www.simwood.com/ @simwoodesms Tel: 029 2120 2120 VoIP Fraud Analysis
  2. 2. www.simwood.com INTRODUCTION Wholesale Voice (and fax!) ! UK Numbering Termination UK PSTN Virtual Interconnect
  3. 3. www.simwood.com INTRODUCTION
  4. 4. www.simwood.com INTRODUCTION https://www.simwood.com http://blog.simwood.com
  5. 5. www.simwood.com TOLL FRAUD & DIAL THROUGH FRAUD $46bn ( but essentially unlimited )
  6. 6. www.simwood.com TOLL FRAUD & DIAL THROUGH FRAUD Operator Carrier Wholesaler Reseller Retailer Cost Profit
  7. 7. www.simwood.com TOLL FRAUD & DIAL THROUGH FRAUD Loss Carrier Wholesaler Reseller Retailer Operator Cost Profit
  8. 8. www.simwood.com TOLL FRAUD & DIAL THROUGH FRAUD PRS Outpayment Carrier Wholesaler Reseller Retailer Operator Cost Profit Outpayment
  9. 9. www.simwood.com TOLL FRAUD & DIAL THROUGH FRAUD PRS Outpayment Loss Carrier Wholesaler Reseller Retailer Profit to Fraudster Operator Cost Profit Outpayment
  10. 10. www.simwood.com COMMERCIAL PRESSURE VOICE IS BECOMING A FEATURE, RATHER THAN A SERVICE THE WISE MINIMISE RISK, RATHER THAN MAXIMISE THEORETICAL MARGIN Billed Minute Revenue Fraud Costs
  11. 11. www.simwood.com SIMWOOD HONEYPOT 60 minutes in the Simwood Darknet on a Sunday afternoon
  12. 12. www.simwood.com SIMWOOD HONEYPOT http://mirror.simwood.com/honeypot
  13. 13. www.simwood.com KEY INTRUSION METHODS SIP Scan ! Stage 1: Reconnaissance
  14. 14. www.simwood.com KEY INTRUSION METHODS
 SIP SCAN OPTIONS sip:100@XXX.XXX.XXX.XXX SIP/2.0! Via: SIP/2.0/UDP XXX.XXX.XXX.XXX:5151;branch=z9hG4bK-4181329969;rport! Content-Length: 0! From: "sipvicious"<sip:100@1.1.1.1>; tag=6332303064323361313363340132…! Accept: application/sdp! User-Agent: friendly-scanner! To: "sipvicious"<sip:100@1.1.1.1>! Contact: sip:100@XXX.XXX.XXX.XXX:5151! CSeq: 1 OPTIONS!
  15. 15. www.simwood.com KEY INTRUSION METHODS
 SIP SCAN 0 450 900 1,350 1,800 2011 2012 2013 Growth in reconnaissance traffic (events by year)
  16. 16. www.simwood.com KEY INTRUSION METHODS
 SIP SCAN Sources of reconnaissance traffic (12 months) Other! 165 UK! 56 USA! 529 Germany! 644
  17. 17. www.simwood.com KEY INTRUSION METHODS
 SIP SCAN SIP Scan ! Stage 2: Scan
  18. 18. www.simwood.com KEY INTRUSION METHODS
 SIP SCAN REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0! To: <sip:1002@XXX.XXX.XXX.XXX>! From: <sip:1002@XXX.XXX.XXX.XXX>;tag=ba255b19! Via: SIP/2.0/UDP XXX.XXX.XXX.XXX:11184;branch=z9hG4bK-d87543-1477;rport! Call-ID: 8f60483ce717142b! CSeq: 1 REGISTER! Contact: <sip:1002@XXX.XXX.XXX.XXX:11184>! Expires: 3600! Max-Forwards: 70! Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, NOTIFY, MESSAGE, SUBSCRIBE…! User-Agent: eyeBeam release 3006o stamp 17551! Content-Length: 0!
  19. 19. www.simwood.com KEY INTRUSION METHODS
 SIP SCAN Growth in scan traffic (events by year) 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 7,206,750 21,855,874 66,991,700
  20. 20. www.simwood.com KEY INTRUSION METHODS
 SIP SCAN Sources of scan traffic (12 months) Republic of Korea! 569,708 Thailand! 2,135,810 Anonymous Proxy! 2,453,447 UK! 2,944,596 USA! 6,194,621 Germany! 47,803,899
  21. 21. www.simwood.com KEY INTRUSION METHODS Targeted Exploit
  22. 22. www.simwood.com KEY INTRUSION METHODS Auto- provisioning
  23. 23. www.simwood.com TRAFFIC INVITE sip:000XXXXXXXXXXXX@XXX.XXX.XXX.XXX SIP/2.0! To: 000XXXXXXXXXXXX<sip:000XXXXXXXXXXXX@XXX.XXX.XXX.XXX>! From: 1000<sip:1000@XXX.XXX.XXX.XXX>;tag=1ba25ae7! Via: SIP/2.0/UDP XXX.XXX.XXX.XXX:5070;branch=z9hG4bK-50489a18;rport! Call-ID: 50489a186c9c2ff6adacfcc8edb55af1! CSeq: 1 INVITE! Contact: <sip:1000@XXX.XXX.XXX.XXX:5070>! Max-Forwards: 70! Allow: INVITE, ACK, CANCEL, BYE.! User-Agent: sipcli/v1.8! Content-Type: application/sdp! Content-Length: 281! ! v=0! o=sipcli-Session 12278792 2114349621 IN IP4 XXX.XXX.XXX.XXX! s=sipcli! c=IN IP4 XXX.XXX.XXX.XXX! t=0 0! m=audio 5072 RTP/AVP 0 101! a=fmtp:101 0-15! a=rtpmap:0 PCMU/8000! a=rtpmap:101 telephone-event/8000! a=sendrecv.
  24. 24. www.simwood.com TRAFFIC Growth in call traffic (events by year) 0 17,500 35,000 52,500 70,000 2011 2012 2013 3,035 17,241 63,353
  25. 25. www.simwood.com TRAFFIC Sources of call traffic (12 months) Germany! 2,146Netherlands! 2,739 France! 2,864 UK! 3,193 Europe! 4,213 USA! 12,322 Palestine! 28,795
  26. 26. www.simwood.com TRAFFIC Test Traffic
  27. 27. www.simwood.com TRAFFIC Location of test numbers (12 months) Rest of World! 2,140Palestine! 1,341 USA! 2,461 UK! 7,588 Israel! 36,971
  28. 28. www.simwood.com TRAFFIC 25% of test traffic from 2 numbers
 50% from the top 10
  29. 29. www.simwood.com TRAFFIC Mostly ordinary ‘landline’ numbers
  30. 30. www.simwood.com TRAFFIC Absent from commercial feeds
  31. 31. www.simwood.com TRAFFIC Reminder: This is Test Traffic
  32. 32. www.simwood.com TRAFFIC The visible attack hasn’t yet started
  33. 33. www.simwood.com TRAFFIC Live DTF Traffic
  34. 34. www.simwood.com SOLUTIONS No-Cost Solutions
  35. 35. www.simwood.com SOLUTIONS Bill frequently, monitor continuously
  36. 36. www.simwood.com SOLUTIONS Buy with prepayment ( Where they can kill calls in progress when credit exhausted! )
  37. 37. www.simwood.com SOLUTIONS Use a carrier with real-time billing & CDRs
  38. 38. www.simwood.com SOLUTIONS Use honeypot data http://mirror.simwood.com/honeypot
  39. 39. www.simwood.com SOLUTIONS 99.79% of 64m intrusions use the user agent “friendly-scanner”
  40. 40. www.simwood.com SOLUTIONS Use TLS ( Or at least TCP )
  41. 41. www.simwood.com SOLUTIONS Avoid auto- provisioning ( Or at least filter by user agent, rate limit and log! )
  42. 42. www.simwood.com SOLUTIONS Monitor & control off-net
  43. 43. www.simwood.com SOLUTIONS
 MONITOR & CONTROL OFF-NET Example 1: Value of calls in progress
  44. 44. www.simwood.comwww.simwood.com SOLUTIONS
 MONITOR & CONTROL OFF-NET
  45. 45. www.simwood.com SOLUTIONS
 MONITOR & CONTROL OFF-NET Max cost per call
  46. 46. www.simwood.com SOLUTIONS
 MONITOR & CONTROL OFF-NET Custom ACL
  47. 47. www.simwood.com SOLUTIONS
 MONITOR & CONTROL OFF-NET Channel limits Overall, international, per destination number & known-hotspots
  48. 48. www.simwood.com SOLUTIONS
 MONITOR & CONTROL OFF-NET Rate limits Overall, international, per destination number & known-hotspots
  49. 49. www.simwood.com SOLUTIONS
 MONITOR & CONTROL OFF-NET Automated alerts
  50. 50. www.simwood.com SOLUTIONS
 MONITOR & CONTROL OFF-NET API control
  51. 51. www.simwood.com SOLUTIONS
 MONITOR & CONTROL OFF-NET All above features are available through the Simwood API 
 today
  52. 52. www.simwood.com DOES IT SCALE? 300,000 operations per second can’t be wrong!
  53. 53. www.simwood.com FINAL THOUGHTS Fraud is the number 1 risk to VoIP businesses.
  54. 54. www.simwood.com FINAL THOUGHTS Manage risk not margin. Voice is becoming a feature not a service.
  55. 55. www.simwood.com FINAL THOUGHTS Let a competent carrier take the strain.
  56. 56. www.simwood.com KEEP IN TOUCH http://blog.simwood.com @simwoodesms
 Hardcopy in foyer
 https://simwood.com/kamailio

×