The most common form of voip telecoms fraud happens when a SIP trunk or endpoint's registration details are gained by an unauthorised individual. Usually international calls are made to high cost areas and normally when the legitimate sip trunk user is asleep.

Hostcomm SIP trunk best practise for security and fraud prevention

Limiting trunk registrations

By implementing the following setting you can restrict SIP registrations solely to your PBX. This will prevent a breach if your SIP trunk authentication details are accessed by an unknown party and they try to register a SIP phone or PBX to your trunk.

Strong passwords

For SIP telephone registration Hostcomm recommends an alpha-numeric password with at least 9 digits. You can auto generate this type of password here:

http://www.pctools.com/guides/password/

The SIP trunk authentication details that are sent when you sign up include a 9 digit alpha-numeric password by default 

Firewall settings

Your firewall should be set to allow all traffic to and from specific IP addresses, for example:

-          The Hostcomm gateway.

-          The router addresses of your offices and phones.

-          The home address of the administrator.

Prepaid billing accounts

Limiting your liability in the event of a fraudulent breach of security can be achieved with a pre-pay billing account which is the default Hostcomm billing plan for SIP trunks, diallers and hosted telephony. If your PBX is breached the maximum that can be spent is the remaining credit. This will be noticed by you quickly and any changes can be implemented before further fraudulent activity can continue.

Control panel Login encryption 

Hostcomm’s gateway servers (portals, control panels) have SSL encrypted logins. Please ensure that you login via an https: URL for example https://contact-pro5.us  this will ensure that your username and password cannot be viewed as you login.  

Block ICMP (ping responses)

Hostcomm disables ICMP responses on all of its gateways. Some ICMP message types are however necessary for network administration. Unfortunately, hackers have found a way to turn a good network tool into an attack. The most common types of ICMP attacks are:

  • ICMP packet magnification (or ICMP Smurf): An attacker sends forged ICMP echo packets to vulnerable networks' broadcast addresses. All the systems on those networks send ICMP echo replies to the victim, consuming the target system's available bandwidth and creating a denial of service (DoS) to legitimate traffic.
  • Ping of death: An attacker sends an ICMP echo request packet that's larger than the maximum IP packet size. Since the received ICMP echo request packet is larger than the normal IP packet size, it's fragmented. The target can't reassemble the packets, so the OS crashes or reboots.
  • ICMP flood attack: A broadcast storm of pings overwhelms the target system so it can't respond to legitimate traffic.
  • ICMP nuke attack: Nukes send a packet of information that the target OS can't handle, which causes the system to crash.
  • Maximum registration attempts

Maximum registration attempts

Always limit the maximum number of registration attempts by IP address. Once the maximum has been reached the IP address should be banned.

Disable International calling

If you don’t make international calls disable them from your portal. You can do this by adding an outgoing call rule (00.) to block all calls beginning with 00 i.e. international calls. Please see below. 

Disable ssh access using username / password authentication to your PBX

Linux servers typically allow ssh access on port 22. Ideally this type of access should be changed so that it requires a key exchange instead of username / password. Alternatively you can change the port number so something other than 22.