Anti-fraud: Difference between revisions

From VoIPmonitor.org
No edit summary
(Rewrite: cleaner structure, added diagram, consolidated content)
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Anti-Fraud Rules ==
{{DISPLAYTITLE:Anti-Fraud Detection}}
[[Category:Configuration]]
[[Category:Alerts]]


Anti-fraud rules are accessed via main menu Alerts > Anti Fraud. Rules combat fraud and attacks, with ongoing additions. Each rule supports custom scripts for actions like firewall rules, besides email alerts. Alerts are archived in Sent Alerts.
= Anti-Fraud Detection =


=== List of Fraud/Watchdog Alerts ===
VoIPmonitor provides GeoIP-based anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks.


* Realtime concurrent calls
<kroki lang="mermaid">
* SIP REGISTER flood / attack
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 30}}}%%
* SIP PACKETS flood / attack
flowchart LR
* Change CDR country
    subgraph Detection
* Change REGISTER country
        A[CDR/Register Data] --> B{GeoIP Lookup}
* Country/Continent destination
        B --> C[Country/IP Analysis]
* [[Billing#Watchdog]]
    end
    subgraph Alert Types
        C --> D[Country Destination]
        C --> E[CDR Country Change]
        C --> F[Register Country Change]
        C --> G[Sequential Pattern]
        C --> H[Failed Register]
    end
    subgraph Response
        D & E & F & G & H --> I[Email Alert]
    end
</kroki>


=== Common Configuration ===
== Configuration ==


Shared across some rules:
All anti-fraud alerts are configured in '''GUI → Alerts → Anti Fraud'''.


* Enable hyperlinks: Makes email alert titles clickable links to rule definitions.
{{Note|1=Anti-fraud features require GeoIP configuration. See [[#GeoIP Integration|GeoIP Integration]] below.}}
* IP include/exclude: Exclude IPs or networks (e.g., 10.0.0.0/8) or use IP groups.
* Suppress repeating alerts: Limit alerts to once per X hours to avoid spamming.
* Numbers include/exclude: Filter source numbers/prefixes (e.g., general rule for >10 concurrent calls, excluding specific customers).
* External script: Path to server script for execution.
* International prefixes configuration:
  ** International prefixes: Distinguish local/international calls (default: +, 00).
  ** Min international length: Numbers shorter than this are treated as local.
  ** Local numbers are in: Select country for classifying international-prefixed calls as local.


=== SIP REGISTER Flood/Attack ===
== Alert Types ==


Triggers when >= N registration attempts from an IP occur in set interval.
=== Country/Continent Destination ===


=== Realtime Concurrent Calls ===
Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls.


Tracks source IPs in realtime (not CDR-based) for concurrent calls, aiding against high-channel attacks. Parameters:
'''Configuration:'''
 
* Select target countries/continents to monitor
* Concurrent calls limit: Trigger on international, local, or both exceeding limits.
* Set threshold for number of calls
* Time period rules: Vary alerts by work/after hours (defined in Groups > Time Periods).
* Configure notification recipients


=== Change CDR Country ===
=== Change CDR Country ===


Triggers on CDR IP source changing country/continent since last call. Parameters:
Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft.


* Exclude countries from alert: Whitelist countries to skip.
'''Configuration:'''
* Whitelist trusted countries (Exclude countries field)
* Apply filters by phone numbers or IP addresses


=== Change REGISTER Country ===
=== Change REGISTER Country ===


Triggers on SIP REGISTER username changing country/continent since last success. Parameters:
Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking.


* Exclude countries from alert: Whitelist countries to skip.
'''Example:''' User normally registers from Germany but suddenly registers from Russia → alert triggers.


=== Country/Continent Destination ===
=== Fraud: Sequential ===
 
Detects high-volume sequential calling patterns to destination numbers within a time window.
 
{| class="wikitable"
|-
! Parameter !! Description !! Example Values
|-
| '''interval''' || Time window (seconds) for counting calls || 600 (10 min), 3600 (1 hour)
|-
| '''limit''' || Max calls allowed before alert triggers || 50, 100, 500
|-
| '''number field''' || Target destination number (leave empty for ANY) || Empty or specific number
|}


Triggers on calls to specific country/continent, based on first SIP INVITE (realtime).
{{Warning|1='''Critical:''' Leave the number field '''empty''' to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.}}


=== SIP PACKETS Flood/Attack ===
'''Configuration Steps:'''
# Navigate to '''GUI → Alerts → Anti Fraud'''
# Create new alert with type '''Fraud: sequential'''
# Set '''interval''' (e.g., 600 for 10 minutes)
# Set '''limit''' (e.g., 100 calls)
# '''Leave number field empty''' to apply to ANY number
# Configure recipient email
# Save


Triggers when >= N packets from an IP occur in set interval.
'''Example Configurations:'''


=== Examples of Custom Scripts ===
{| class="wikitable"
|-
! Scenario !! interval !! limit !! number field
|-
| >100 calls to any number in 10 min || 600 || 100 || Empty
|-
| >500 calls to any number in 1 hour || 3600 || 500 || Empty
|-
| >50 calls in 5 min (high-volume attack) || 300 || 50 || Empty
|-
| Monitor specific premium number || 1800 || 200 || Specify number
|}


==== Getting Passed Arguments ====
{{Tip|1='''Fraud: sequential vs concurrent calls:''' Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.}}


'''Example script to log passed info:'''
=== SIP Failed Register ===


#!/bin/bash
Detects brute-force and credential stuffing attacks by monitoring failed registration attempts.
echo $@ >> /tmp/passed_info.txt


Use PHP '''json_decode($argv[4])''' on 4th argument for data.
{| class="wikitable"
|-
! Parameter !! Description
|-
| '''threshold''' || Maximum failed attempts before alert
|-
| '''interval''' || Time window (seconds) for counting attempts
|}


==== Alert Type RTP ====
== GeoIP Integration ==


'''Example to store audio on RTP alert:'''
Anti-fraud alerts require GeoIP for IP-to-country resolution.


#!/usr/bin/php
'''Configuration:''' GUI → Settings → System Configuration → GeoIP
<?php
#var_dump($argv);
$directory='/home/alerts/audio'; #where to store audio from alerts that triggered?
$date=trim(`date '+%Y-%m-%d'`); #It will be stored to subdir date in this format YYYY-MM-DD
$guiDir='/var/www/voipmonitor'; #where is GUI installed
$destdir=$directory.'/'.$date;
`mkdir -p $destdir`;
$alert= json_decode($argv[4]);
foreach ($alert->cdr as $cdr) {
        $params = '{\"task\":\"getVoiceRecording\", \"user\": \"admin\", \"password\": \"admin\", \"params\": {\"cdrId\": "'.$cdr.'"}}';
        $command = "php $guiDir/php/api.php > $destdir/file_id_$cdr.pcap";
        exec( "echo $params | $command", $arr, $val);
}
?>


'''Example to block IP on remote host if > limit CDRs per caller IP:'''
'''Processing priority (fallback mechanism):'''
# MaxMind API (commercial, highest accuracy)
# IPInfoDB API
# Local GeoIP database (GeoIPCity.dat or MySQL tables)
# Free portals (backup)


#!/usr/bin/php
For detailed GeoIP configuration, see [[Order_of_GeoIP_processing]].
<?php
## Settings
$Limit = 19;
$blockCommand = "ssh root@pbx -p2112 ipset add blacklist";
$verbose = 1; #1 set: script will do nothing just print results, 0 set: script will do the command and print nothing to stdout
$alertsData=(json_decode($argv[4]));
#prepare string of CDRsIDs for query command
$cdrIds=$alertsData->cdr;
$out='';
foreach ($cdrIds as $id) $out .= "$id,";
$out = substr($out,0,-1);
$query="select INET_NTOA(sipcallerip),count(*) as incidents from voipmonitor.cdr where id in (".$out.") group by INET_NTOA(sipcallerip) order by incidents desc\G";
$command="mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'";
## END of settings
#call query and get results
exec($command, $arr);
#parse results
$resultip=array();
foreach ($arr as $nth => $line) {
        if (strpos($line,'INET') === FALSE) continue;
        $pos=strpos($line,":");
        $resultip[]=substr($line,$pos+2);
        $resultcnt[]=substr($arr[$nth+1],strpos($arr[$nth+1],":")+2);
}
#print ips and counts if exists and exceeded limit
if (!count($resultip)) exit;
foreach ($resultip as $n => $ip) {
        if ($resultcnt[$n] > $Limit) {
                if ($verbose) echo ("$ip : $resultcnt[$n], results in\n$blockCommand $ip\n\n");
                else exec ($blockCommand." $ip",$ar,$rc);
        }
}
?>


==== Alert Type Realtime Concurrent Calls ====
== Best Practices ==


'''Example to block IP on concurrent calls alert:'''
* '''Toll fraud prevention:''' Configure Country/Continent Destination alerts for premium rate countries
* '''Account protection:''' Enable Change REGISTER Country for all critical accounts
* '''Brute-force protection:''' Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds)
* '''Volume monitoring:''' Use Fraud: sequential with empty number field to catch attacks on any destination
* '''Granular control:''' Combine with [[Groups|IP Groups]] for provider-specific monitoring


Note: Use "By caller IP" in alert settings to pass attacker IP.
== See Also ==


#!/usr/bin/php
* [[Alerts]] - General alert configuration and email setup
<?php
* [[Order_of_GeoIP_processing]] - GeoIP configuration details
#echo "DECODE PARENT INFO\n";
* [[Groups]] - IP and telephone number groups for filtering
#print_r(json_decode($argv[2]));
* [[Register]] - SIP registration monitoring
#echo "DECODE RULES INFO\n";
$triggedRules = json_decode($argv[4]);
#number of tresspass of address
$IPtriggers=array();
foreach ( $triggedRules as $rule ) { //for each triggererd rule
        $keyIP = $rule->alert_info->ip; //get 'source ip which triggered rule' will used as key.
        $when = $rule->at; //get 'when this rule triggered?'
# $type = $rule->alert_info->local_international; //get type enum 'was "local" or "international" or "local & international" limits exceeded?'
# if (!isset ( $rule->alert_info->timeperiod_name )) { //get name of time-period rule which was triggered, if name isn't set its main parent rule.
# $name = "Parent rule";
# } else {
# $name = $rule->alert_info->timeperiod_name;
# }
# print "\n\nName: $name\nat : $when\nType: $type";
        if ( !isset ( $IPtriggers[$keyIP] )) {
                $IPtriggers[$keyIP] = 1;
        } else {
                $IPtriggers[$keyIP] += 1;
        }
}
#echo "\n\nShow how many rules theese Adressess triggered?\n";
#print_r ($IPtriggers);
#echo "Block all adresses that trigged any rule.\n";
foreach ( $IPtriggers as $IPKey => $nmGuilt ) {
# echo "Blocking address: $IPKey\n";
        passthru ('iptables -A INPUT -s '.$IPKey.' -j DROP', $ret);
        if ( $ret <> 0 ) {
                echo ("Problem setting firewall!\n");
                exit (1);
        }
}
?>


=== AI Summary for RAG ===
== AI Summary for RAG ==


'''Summary:''' This article details VoIPmonitor's anti-fraud rules for detecting attacks like floods, concurrent calls, and country changes. It covers common configs, specific rule parameters, custom scripts for actions, and examples for RTP and concurrent calls alerts.
'''Summary:''' VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority.


'''Keywords:''' anti-fraud rules, fraud alerts, watchdog, concurrent calls, SIP REGISTER flood, SIP PACKETS flood, country change, custom scripts, international prefixes, time periods
'''Keywords:''' anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring


'''Key Questions:'''
'''Key Questions:'''
* What anti-fraud rules are available in VoIPmonitor?
* How do I configure anti-fraud alerts in VoIPmonitor?
* How do common configurations like IP exclude or suppress alerts work?
* How do I detect toll fraud in VoIPmonitor?
* What triggers a SIP REGISTER flood alert?
* What is the Fraud: sequential alert and how do I configure it?
* How does realtime concurrent calls tracking function?
* How do I detect high volume calls to any destination number?
* What are examples of custom scripts for alerts?
* Should I leave the number field empty in Fraud: sequential?
* How to configure international call detection?
* What is the difference between Fraud: sequential and concurrent calls alerts?
* How do I detect account hijacking in VoIPmonitor?
* How do I configure alerts for international calls?
* What is the Change REGISTER Country alert?
* How do I detect brute-force attacks on SIP registration?
* How does VoIPmonitor use GeoIP for fraud detection?

Latest revision as of 16:47, 8 January 2026


Anti-Fraud Detection

VoIPmonitor provides GeoIP-based anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks.

Configuration

All anti-fraud alerts are configured in GUI → Alerts → Anti Fraud.

ℹ️ Note: Anti-fraud features require GeoIP configuration. See GeoIP Integration below.

Alert Types

Country/Continent Destination

Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls.

Configuration:

  • Select target countries/continents to monitor
  • Set threshold for number of calls
  • Configure notification recipients

Change CDR Country

Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft.

Configuration:

  • Whitelist trusted countries (Exclude countries field)
  • Apply filters by phone numbers or IP addresses

Change REGISTER Country

Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking.

Example: User normally registers from Germany but suddenly registers from Russia → alert triggers.

Fraud: Sequential

Detects high-volume sequential calling patterns to destination numbers within a time window.

Parameter Description Example Values
interval Time window (seconds) for counting calls 600 (10 min), 3600 (1 hour)
limit Max calls allowed before alert triggers 50, 100, 500
number field Target destination number (leave empty for ANY) Empty or specific number

⚠️ Warning: Critical: Leave the number field empty to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.

Configuration Steps:

  1. Navigate to GUI → Alerts → Anti Fraud
  2. Create new alert with type Fraud: sequential
  3. Set interval (e.g., 600 for 10 minutes)
  4. Set limit (e.g., 100 calls)
  5. Leave number field empty to apply to ANY number
  6. Configure recipient email
  7. Save

Example Configurations:

Scenario interval limit number field
>100 calls to any number in 10 min 600 100 Empty
>500 calls to any number in 1 hour 3600 500 Empty
>50 calls in 5 min (high-volume attack) 300 50 Empty
Monitor specific premium number 1800 200 Specify number

💡 Tip: Fraud: sequential vs concurrent calls: Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.

SIP Failed Register

Detects brute-force and credential stuffing attacks by monitoring failed registration attempts.

Parameter Description
threshold Maximum failed attempts before alert
interval Time window (seconds) for counting attempts

GeoIP Integration

Anti-fraud alerts require GeoIP for IP-to-country resolution.

Configuration: GUI → Settings → System Configuration → GeoIP

Processing priority (fallback mechanism):

  1. MaxMind API (commercial, highest accuracy)
  2. IPInfoDB API
  3. Local GeoIP database (GeoIPCity.dat or MySQL tables)
  4. Free portals (backup)

For detailed GeoIP configuration, see Order_of_GeoIP_processing.

Best Practices

  • Toll fraud prevention: Configure Country/Continent Destination alerts for premium rate countries
  • Account protection: Enable Change REGISTER Country for all critical accounts
  • Brute-force protection: Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds)
  • Volume monitoring: Use Fraud: sequential with empty number field to catch attacks on any destination
  • Granular control: Combine with IP Groups for provider-specific monitoring

See Also

AI Summary for RAG

Summary: VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority.

Keywords: anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring

Key Questions:

  • How do I configure anti-fraud alerts in VoIPmonitor?
  • How do I detect toll fraud in VoIPmonitor?
  • What is the Fraud: sequential alert and how do I configure it?
  • How do I detect high volume calls to any destination number?
  • Should I leave the number field empty in Fraud: sequential?
  • What is the difference between Fraud: sequential and concurrent calls alerts?
  • How do I detect account hijacking in VoIPmonitor?
  • How do I configure alerts for international calls?
  • What is the Change REGISTER Country alert?
  • How do I detect brute-force attacks on SIP registration?
  • How does VoIPmonitor use GeoIP for fraud detection?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Anti-fraud&oldid=10024"