Anti-fraud: Difference between revisions

From VoIPmonitor.org
(Rewrite: cleaner structure, added diagram, consolidated content)
 
(20 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Anti-fraud rules are in main menu Alerts / Anti fraud. We are continuously adding more rules to combat fraud / attacks and as of now you can use following rules. Each fraud alert also implements custom script which can be used to automatically run firewall rule or any action you like besides the standard email alert. Each alert is also archived in Sent alerts.
{{DISPLAYTITLE:Anti-Fraud Detection}}
[[Category:Configuration]]
[[Category:Alerts]]


= List of fraud / watchdog alerts =
= Anti-Fraud Detection =


* Realtime concurrent calls
VoIPmonitor provides GeoIP-based anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks.
* SIP REGISTER flood / attack
* SIP PACKETS flood / attack
* change cdr country
* change register country
* country/continent destination
* [[Billing#Watchdog]]


= Some fraud rules have common configuration =
<kroki lang="mermaid">
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 30}}}%%
flowchart LR
    subgraph Detection
        A[CDR/Register Data] --> B{GeoIP Lookup}
        B --> C[Country/IP Analysis]
    end
    subgraph Alert Types
        C --> D[Country Destination]
        C --> E[CDR Country Change]
        C --> F[Register Country Change]
        C --> G[Sequential Pattern]
        C --> H[Failed Register]
    end
    subgraph Response
        D & E & F & G & H --> I[Email Alert]
    end
</kroki>


== Configuration ==


* Enable hyperlinks - in the email alert the title will be html hyperlink which transfer you to rule definition
All anti-fraud alerts are configured in '''GUI → Alerts → Anti Fraud'''.
* IP include/exclude - you can exclude some list of IP addresses or IP networks (ex.: 10.0.0.0/8) or you can use IP groups and select it.
* suppress repeating alerts - to prevent spamming you from repeating alerts you can limit that the rule will sent alert only once per X hours.
* Numbers include/exclude - by default there is no tel. number filter and you can exclude some source number / prefixes. For example you want to have one general rule to be alerted if any IP will have more than 10 concurrent calls expect for some customer with some numbers.  


* external script - path to the script on the server which will be executed.
{{Note|1=Anti-fraud features require GeoIP configuration. See [[#GeoIP Integration|GeoIP Integration]] below.}}
* international prefixes configuration
** international prefixes - to distinguish between local and international calls you have to add here list of prefixes. Default are +, 00
** min international length - if destination number is less then this value it will be not treated as international but local.
** local numbers are in - select the country to which local calls belongs. This will allow to classify calls with international prefix as a local number.


== Alert Types ==


=== Country/Continent Destination ===


= SIP REGISTER flood / attack =
Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls.


Alert is triggered when sniffer detects >= N number of registration attempts from some IP during set interval.
'''Configuration:'''
* Select target countries/continents to monitor
* Set threshold for number of calls
* Configure notification recipients


= Realtime concurrent calls =  
=== Change CDR Country ===


This anti-fraud rule (and the purpose is not only for fraud) works in realtime and it is not based on CDR. It tracks each source IP and count number of concurrent call. The advantage of tracking concurrent calls in realtime and not based on CDR is obvious and it helps to compete attacks which creates many channels at the same time with long duration. You can set this parameters:
Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft.


* Concurrent calls limit - You can choose to trigger alert only if international calls is over the limit or only local calls or both calls.
'''Configuration:'''
* Time period rules - you can limit that the alert will work differently during work hours and after hours. Time periods are defined in Main menu -> Groups -> Time periods
* Whitelist trusted countries (Exclude countries field)
* Apply filters by phone numbers or IP addresses


= change cdr country =
=== Change REGISTER Country ===


Alert is triggered when the last CDR changes IP source which is in different country or continent since last call. You can set this parameters:
Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking.


* Exclude country form alert: you can whitelist certain countries which will not trigger the alert.
'''Example:''' User normally registers from Germany but suddenly registers from Russia → alert triggers.


= change register country =  
=== Fraud: Sequential ===


Alert is triggered when the last SIP REGISTRATION for some username changes country or continent since last successful registration.
Detects high-volume sequential calling patterns to destination numbers within a time window.


* Exclude country form alert - you can whitelist certain countries which will not trigger the alert.
{| class="wikitable"
= country/continent destination =
|-
Alert is triggered when someone is calling to specific country or continent. This alert is based on first SIP INVITE and not from CDR thus it works in realtime.
! Parameter !! Description !! Example Values
= SIP PACKETS flood attack =
|-
Alert is triggered when sniffer detects >= N number of packets from some IP during set interval.
| '''interval''' || Time window (seconds) for counting calls || 600 (10 min), 3600 (1 hour)
|-
| '''limit''' || Max calls allowed before alert triggers || 50, 100, 500
|-
| '''number field''' || Target destination number (leave empty for ANY) || Empty or specific number
|}


{{Warning|1='''Critical:''' Leave the number field '''empty''' to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.}}


'''Configuration Steps:'''
# Navigate to '''GUI → Alerts → Anti Fraud'''
# Create new alert with type '''Fraud: sequential'''
# Set '''interval''' (e.g., 600 for 10 minutes)
# Set '''limit''' (e.g., 100 calls)
# '''Leave number field empty''' to apply to ANY number
# Configure recipient email
# Save


= Examples of custom scripts =
'''Example Configurations:'''
== Getting passed arguments ==
'''Example of a simple script for getting info that is passed with any alert to your custom script'''
#!/bin/bash
echo $@ >> /tmp/passed_info.txt


You can then use php function '''json_decode($argv[4])''' on 4th argument to get data result
{| class="wikitable"
|-
! Scenario !! interval !! limit !! number field
|-
| >100 calls to any number in 10 min || 600 || 100 || Empty
|-
| >500 calls to any number in 1 hour || 3600 || 500 || Empty
|-
| >50 calls in 5 min (high-volume attack) || 300 || 50 || Empty
|-
| Monitor specific premium number || 1800 || 200 || Specify number
|}


== Alert type RTP ==
{{Tip|1='''Fraud: sequential vs concurrent calls:''' Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.}}
'''Example of a script for storing audio to different dir when RTP alert is triggered'''
<?php
#var_dump($argv);
$directory='/home/alerts/audio';        #where to store audio from alerts that triggered?
$date=trim(`date '+%Y-%m-%d'`);        #It will be stored to subdir date in this format YYYY-MM-DD
$guiDir='/var/www/voipmonitor';        #where is GUI installed
$destdir=$directory.'/'.$date;
`mkdir -p $destdir`;
$alert= json_decode($argv[4]);
foreach ($alert->cdr as $cdr) {
        $params = '{\"task\":\"getVoiceRecording\", \"user\": \"admin\", \"password\": \"admin\", \"params\": {\"cdrId\": "'.$cdr.'"}}';
        $command = "php $guiDir/php/api.php > $destdir/file_id_$cdr.pcap";
        exec( "echo $params | $command", $arr, $val);
}
?>


'''Example of a script for blocking the IP on remote host using ssh, when single IP had more CDRs matching the alert's filter (group by caller IP) then set by limit'''
=== SIP Failed Register ===
<?php
## Settings
$Limit = 19;
$blockCommand = "ssh root@pbx -p2112 ipset add blacklist";
$verbose = 1; #1 set: script will do nothing just print results, 0 set: script will do the command and print nothing to stdout
$alertsData=(json_decode($argv[5]));
#prepare string of CDRsIDs for query command
$cdrIds=$alertsData->cdr;
$out='';
foreach ($cdrIds as $id) $out .= "$id,";
$out = substr($out,0,-1);
$query="select INET_NTOA(sipcallerip),count(*) as incidents from voipmonitor.cdr where id in (".$out.") group by INET_NTOA(sipcallerip) order by incidents desc\G";
$command="mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'";
## END of settings
#call query and get results
exec($command, $arr);
#parse results
$resultip=array();
foreach ($arr as $nth => $line) {
        if (strpos($line,'INET') === FALSE) continue;
        $pos=strpos($line,":");
        $resultip[]=substr($line,$pos+2);
        $resultcnt[]=substr($arr[$nth+1],strpos($arr[$nth+1],":")+2);
}
#print ips and counts if exists and exceeded limit
if (!count($resultip)) exit;
foreach ($resultip as $n => $ip) {
        if ($resultcnt[$n] > $Limit) {
                if ($verbose) echo ("$ip : $resultcnt[$n], results in\n$blockCommand $ip\n\n");
                else exec ($blockCommand." $ip",$ar,$rc);
        }
}
?>


Detects brute-force and credential stuffing attacks by monitoring failed registration attempts.


== Alert type Realtime concurent calls==
{| class="wikitable"
'''Example of a script for blocking IP address when trgiggered by concurrent calls alert'''
|-
! Parameter !! Description
|-
| '''threshold''' || Maximum failed attempts before alert
|-
| '''interval''' || Time window (seconds) for counting attempts
|}


Note: you need in alert's setting use type By 'caller IP' to pass IP of attacker as an argument:
== GeoIP Integration ==


#!/usr/bin/php
Anti-fraud alerts require GeoIP for IP-to-country resolution.
<?php
 
#echo "DECODE PARENT INFO\n";
'''Configuration:''' GUI → Settings → System Configuration → GeoIP
#print_r(json_decode($argv[2]));
 
#echo "DECODE RULES INFO\n";
'''Processing priority (fallback mechanism):'''
$triggedRules = json_decode($argv[4]);
# MaxMind API (commercial, highest accuracy)
#number of tresspass of address
# IPInfoDB API
$IPtriggers=array();
# Local GeoIP database (GeoIPCity.dat or MySQL tables)
# Free portals (backup)
foreach ( $triggedRules as $rule ) {                            //for each triggererd rule
 
        $keyIP = $rule->alert_info->ip;                        //get 'source ip which triggered rule' will used as key.
For detailed GeoIP configuration, see [[Order_of_GeoIP_processing]].
        $when = $rule->at;                                      //get 'when this rule triggered?'
 
#      $type = $rule->alert_info->local_international;        //get type enum 'was "local" or "international" or "local & international" limits exceeded?'
== Best Practices ==
#      if (!isset ( $rule->alert_info->timeperiod_name )) {    //get name of time-period rule which was triggered, if name isn't set its main parent rule.
 
#              $name = "Parent rule";
* '''Toll fraud prevention:''' Configure Country/Continent Destination alerts for premium rate countries
#      } else {
* '''Account protection:''' Enable Change REGISTER Country for all critical accounts
#              $name = $rule->alert_info->timeperiod_name;
* '''Brute-force protection:''' Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds)
#      }
* '''Volume monitoring:''' Use Fraud: sequential with empty number field to catch attacks on any destination
#      print "\n\nName: $name\nat  : $when\nType: $type";
* '''Granular control:''' Combine with [[Groups|IP Groups]] for provider-specific monitoring
        if ( !isset ( $IPtriggers[$keyIP] )) {
 
                $IPtriggers[$keyIP] = 1;
== See Also ==
        } else {
 
                $IPtriggers[$keyIP] += 1;
* [[Alerts]] - General alert configuration and email setup
        }
* [[Order_of_GeoIP_processing]] - GeoIP configuration details
}
* [[Groups]] - IP and telephone number groups for filtering
#echo "\n\nShow how many rules theese Adressess triggered?\n";
* [[Register]] - SIP registration monitoring
#print_r ($IPtriggers);
 
#echo "Block all adresses that trigged any rule.\n";
== AI Summary for RAG ==
foreach ( $IPtriggers as $IPKey => $nmGuilt ) {
 
#      echo "Blocking address: $IPKey\n";
'''Summary:''' VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority.
        passthru ('iptables -A INPUT -s '.$IPKey.' -j DROP', $ret);
 
        if ( $ret <> 0 ) {
'''Keywords:''' anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring
                echo ("Problem setting firewall!\n");
 
                exit (1);
'''Key Questions:'''
        }
* How do I configure anti-fraud alerts in VoIPmonitor?
}
* How do I detect toll fraud in VoIPmonitor?
?>
* What is the Fraud: sequential alert and how do I configure it?
* How do I detect high volume calls to any destination number?
* Should I leave the number field empty in Fraud: sequential?
* What is the difference between Fraud: sequential and concurrent calls alerts?
* How do I detect account hijacking in VoIPmonitor?
* How do I configure alerts for international calls?
* What is the Change REGISTER Country alert?
* How do I detect brute-force attacks on SIP registration?
* How does VoIPmonitor use GeoIP for fraud detection?

Latest revision as of 16:47, 8 January 2026


Anti-Fraud Detection

VoIPmonitor provides GeoIP-based anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks.

Configuration

All anti-fraud alerts are configured in GUI → Alerts → Anti Fraud.

ℹ️ Note: Anti-fraud features require GeoIP configuration. See GeoIP Integration below.

Alert Types

Country/Continent Destination

Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls.

Configuration:

  • Select target countries/continents to monitor
  • Set threshold for number of calls
  • Configure notification recipients

Change CDR Country

Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft.

Configuration:

  • Whitelist trusted countries (Exclude countries field)
  • Apply filters by phone numbers or IP addresses

Change REGISTER Country

Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking.

Example: User normally registers from Germany but suddenly registers from Russia → alert triggers.

Fraud: Sequential

Detects high-volume sequential calling patterns to destination numbers within a time window.

Parameter Description Example Values
interval Time window (seconds) for counting calls 600 (10 min), 3600 (1 hour)
limit Max calls allowed before alert triggers 50, 100, 500
number field Target destination number (leave empty for ANY) Empty or specific number

⚠️ Warning: Critical: Leave the number field empty to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.

Configuration Steps:

  1. Navigate to GUI → Alerts → Anti Fraud
  2. Create new alert with type Fraud: sequential
  3. Set interval (e.g., 600 for 10 minutes)
  4. Set limit (e.g., 100 calls)
  5. Leave number field empty to apply to ANY number
  6. Configure recipient email
  7. Save

Example Configurations:

Scenario interval limit number field
>100 calls to any number in 10 min 600 100 Empty
>500 calls to any number in 1 hour 3600 500 Empty
>50 calls in 5 min (high-volume attack) 300 50 Empty
Monitor specific premium number 1800 200 Specify number

💡 Tip: Fraud: sequential vs concurrent calls: Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.

SIP Failed Register

Detects brute-force and credential stuffing attacks by monitoring failed registration attempts.

Parameter Description
threshold Maximum failed attempts before alert
interval Time window (seconds) for counting attempts

GeoIP Integration

Anti-fraud alerts require GeoIP for IP-to-country resolution.

Configuration: GUI → Settings → System Configuration → GeoIP

Processing priority (fallback mechanism):

  1. MaxMind API (commercial, highest accuracy)
  2. IPInfoDB API
  3. Local GeoIP database (GeoIPCity.dat or MySQL tables)
  4. Free portals (backup)

For detailed GeoIP configuration, see Order_of_GeoIP_processing.

Best Practices

  • Toll fraud prevention: Configure Country/Continent Destination alerts for premium rate countries
  • Account protection: Enable Change REGISTER Country for all critical accounts
  • Brute-force protection: Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds)
  • Volume monitoring: Use Fraud: sequential with empty number field to catch attacks on any destination
  • Granular control: Combine with IP Groups for provider-specific monitoring

See Also

AI Summary for RAG

Summary: VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority.

Keywords: anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring

Key Questions:

  • How do I configure anti-fraud alerts in VoIPmonitor?
  • How do I detect toll fraud in VoIPmonitor?
  • What is the Fraud: sequential alert and how do I configure it?
  • How do I detect high volume calls to any destination number?
  • Should I leave the number field empty in Fraud: sequential?
  • What is the difference between Fraud: sequential and concurrent calls alerts?
  • How do I detect account hijacking in VoIPmonitor?
  • How do I configure alerts for international calls?
  • What is the Change REGISTER Country alert?
  • How do I detect brute-force attacks on SIP registration?
  • How does VoIPmonitor use GeoIP for fraud detection?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Anti-fraud&oldid=10024"