My IP04 hacked and SIP ALG

Well this is a bit embarrasing. I make and sell embedded Asterisk boxes. My IP04 has been hacked! Some one made a bunch of calls to Guyana, among other places:

Call Summary

Destination Calls Amount
Algeria – Mobile Orascom 1 $0.39
Algeria – Mobile Wataniya 1 $0.59
Australia – 13/1300 2 $0.52
Australia – Adelaide 14 $1.82
Australia – Mobile 2 $3.18
Cape Verde – Mobile 1 $0.34
Cayman Is – Mobile C&W 1 $0.21
Dominica 1 $0.27
East Timor 1 $0.50
Guyana – Mobile 47 $16.91
Ireland – VOIP 1 $0.11

I hadn’t taken any special secuity precautions with this IP04 as it’s behind a NAT broadband router. It’s used for development and testing on my LAN and mesh networks so I don’t want it too restricted. However it’s also used for VOIP calls to the outside world, so has a SIP connection to Jazmin Commnications, my ITSP.

Mike at Jazmin caught the attack early and disabled my account. I was interstate at the time and couldn’t reach the box remotely. So I asked my daughter to power down my entire home network, just on case my whole LAN was compromised. A few days later I returned home and started looking into the problem.

I poked around the GUI of my (nearly new) NetComm NB6Plus4W router. This was supplied by Internode, one of the most reputable ISPs here in Australia. One possibility was the “SIP ALG” option under the “Advanced” options:

A bit of Googling on SIP ALG didn’t seem to suggest it was a huge security issue. However several people suggested poor implementations of SIP ALG can break SIP. It was on by default when I set up the router, so I hadn’t touched it. And I really needed to find and if possible reproduce the attack before re-enabling my account to minimise the possibility of more abuse. I was running out of ideas so I phoned Mike. He suggested using sipvicious to investigate the problem. I installed sipvicious on a Linux box on my LAN to get a feel for it, and tried a few commands from the getting started notes.

Then I ran sipvicious on a remote Linux Box. It managed to detect my IP04, even though it was behind the firewall (note 121.45.13.78 is a fictional IP):
ubuntu@ip:~/david/sipvicious$ ./svmap.py 121.45.13.78
| 121.45.13.78:5060 | Asterisk PBX | Asterisk |

The svwar and svcrack tools didn’t work for me (they couldn’t find and crack my SIP user accounts) but svmap told me enough: the SIP 5060 port on my Asterisk box was visible to anyone on the Internet!

I tried disabling the router SIP ALG option and straight away svmap showed the security hole was gone:
ubuntu@ip:~/david/sipvicious$ ./svmap.py 121.45.13.78
WARNING:root:found nothing

If I re-enabled SIP-ALG nothing happened, but when I rebooted the router the problem returned.

I also had another (well actually several) security problems. In /etc/asterisk/sip.conf I had “allowguest=no” commented out. This meant that anonymous people could make “guest” SIP calls, with no authentication at all. Great when I am messing around with Mesh Potatoes and want to set something up fast but not so clever when my IP04 is wide open to the Internet.

But I wanted to find the “smoking gun” – could some one really make a call through the open 5060 port? I needed a command line tool to make calls from the remote Linux box. So I used what I know – another Asterisk instance running on the remote Linux box.

I added some dialplan to try to call my IP04 as the guest user:
[default]
exten => 4000,1,Dial(SIP/121.45.13.78/6004)

Then from the Asterisk CLI:

ip*CLI> console dial 4000

and “ring ring” when a phone connected to my IP04! Ouch! Uncommenting “allowguest=no” and a “SIP reload” stoppped guest calls. However I have to admit – the main protection I am relying on is the firewall, now working properly since disabling SIP ALG.

10 thoughts on “My IP04 hacked and SIP ALG”

  1. Exterior firewalls, that is packet filters that are not on the device that send the filtered packets, are not a good solution. They often work around the real problems (in this case “allowguest=no”), give a false impression of security (“Our corporate network is protected by a firewall and we run antivirus software, we are secure.”) and make the assumption that a trustworthy internal network with (often much) lower security measures is to be shielded from the outside world. The assumptions may be right in a small office or home network with mutual trust and I’m not saying everyone has a false impression, but using them to really work around real problems should not be considered.

  2. I’ve never seen a box with a SIP ALG option that gives any information about what it actually does. They refer to it as if its a well defined function, like referring to ARP or other fully specified components of the IP world, but its far from that.

  3. I just put in an NB6+4W as a temporary replacement for my Linksys modem which died a couple of days ago. I hadn’t noticed this SIP ALG option so your post was a timely warning. Thanks.

    I don’t much like the NB6+4W though, so it’s going back in its box as soon as I can arrange a replacement.

    1. Yes I have had a few problems with this box as well – I seem to have to reboot it every week or so. Could perhaps be just my unit.

  4. I’ve not had to reboot it yet, but then I haven’t used it for more than a few days each time I’ve needed it.

    My problems are with the firmware. The first thing I found was that QoS doesn’t work and because the documentation is way out of date, I called Netcomm’s tech support. That was a complete waste of time, they’re useless.

    Then I discovered an open port on the external interface. Completely undocumented, tech support don’t know what it is, and it can’t be turned off. The only way to fix it is to telnet into the modem and change the iptables rules. While I’m there I get rid of the unnecessary TCPMSS clamping on forwarded packets. These changes need to be made not just after every reboot, but also each time the modem loses sync and reconnects.

  5. Hi David,

    I have a set of scripts to put into cron to monitor IDD calls if you want to incorporate them into your distribution.

    Just email me and I’ll explain it a bit (in words or over the phone).

    Cheers
    Chris

  6. SIP ALG and allowguest (and port forwarding) do contibute to security risk, but they are useful if you want to make and receive calls directly to your IP address, bypassing your ITSP. The barn door in this case is having a dialplan that allows incoming callers to dial back out.

    Check that the management interface on your modem/firewall is blocked from the internet side. Also, some routers have SSH port 22 open on the WAN, but I haven’t been able to find an explanation why, so go figure your own conspiracy theory. I try to work around that problem by forwarding port 22 to a bogus internal address.

    Another risky area could be your ITSP. How immune are your SIP credentials to brute-force attack? If your ITSP has a provisioning service, how secure is it? My previous ITSP had trivial security on their provisioning. At a glance it looked like it “must be” secure, but it was all smoke and mirrors. It took me about ten minutes to work it out and extract my own SIP password, plus the admin password for the provisioned device, and I’m not particularly clever.

  7. I am a part-time system administrator in Russia (and stumbled upon yor blog via New Aestetics tumblr). Managing Asterisk for a small but busy office (~5 lines constantly online at business hours, 30 IP phones) is one of my tasks. I had to allow incoming calls on port 5060 (for smoother operation of the ITSP), and in a month’s time the SIP asterisk server was continuously flooded with registration and call attempts from China. The only solution that returned the server to normal operation was blocking all SIP traffic except from two or three ITSP servers on the my main Cisco firewall. Asterisk seems to handle flooding and hacking attempts particularly poorly performance-wise :)

  8. You are lucky they didn’t expose you even more and rack up thousands of dollars in telephone bills. I use fail2ban or just use very locked down iptables rules where I only allow ip addresses of servers I allow.

Comments are closed.