Anti-fraud: Difference between revisions

From VoIPmonitor.org
(Add alert processing differences and source port limitation documentation for realtime alerts)
(Rewrite: cleaner structure, added diagram, consolidated content)
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Anti-Fraud Rules ==
{{DISPLAYTITLE:Anti-Fraud Detection}}
[[Category:Configuration]]
[[Category:Alerts]]


Anti-fraud rules are accessed via main menu Alerts > Anti Fraud. Rules combat fraud and attacks, with ongoing additions. Each rule supports custom scripts for actions like firewall rules, besides email alerts. Alerts are archived in Sent Alerts.
= Anti-Fraud Detection =


=== List of Fraud/Watchdog Alerts ===
VoIPmonitor provides GeoIP-based anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks.


* Realtime concurrent calls
<kroki lang="mermaid">
* SIP REGISTER flood / attack
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 30}}}%%
* SIP PACKETS flood / attack
flowchart LR
* Change CDR country
    subgraph Detection
* Change REGISTER country
        A[CDR/Register Data] --> B{GeoIP Lookup}
* Country/Continent destination
        B --> C[Country/IP Analysis]
* [[Billing#Watchdog]]
    end
    subgraph Alert Types
        C --> D[Country Destination]
        C --> E[CDR Country Change]
        C --> F[Register Country Change]
        C --> G[Sequential Pattern]
        C --> H[Failed Register]
    end
    subgraph Response
        D & E & F & G & H --> I[Email Alert]
    end
</kroki>


=== Alert Processing Differences ===
== Configuration ==


VoIPmonitor processes alerts in two different ways, which affects what data is available and when:
All anti-fraud alerts are configured in '''GUI → Alerts → Anti Fraud'''.


* '''Realtime alerts''' (Realtime concurrent calls, SIP REGISTER flood, SIP PACKETS flood): These are processed directly by the sniffer as packets arrive. They are triggered immediately based on packet inspection but do not have Call Detail Records (CDRs) available yet.
{{Note|1=Anti-fraud features require GeoIP configuration. See [[#GeoIP Integration|GeoIP Integration]] below.}}
* '''CDR-based alerts''' (Change CDR country, Change REGISTER country, Country/Continent destination, RTP alerts, SIP Response alerts): These are evaluated by the GUI after CDRs have been stored in the database.


==== Important Limitation: Source Port Not Available in Realtime Alerts ====
== Alert Types ==


Realtime alerts (concurrent calls, REGISTER flood, PACKETS flood) provide the attacker's IP address in the '''alert_info''' object, but do **not** include the SIP source port. The source port can be queried from the database from the '''caller_port''' field in the '''cdr''' table, but this approach has critical limitations:
=== Country/Continent Destination ===


* '''Not suitable for real-time blocking''': There is a delay between when the realtime alert triggers and when the CDR (with caller_port) is written to the database. For real-time fraud blocking scenarios, querying the database adds latency that defeats the purpose of immediate blocking.
Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls.
* '''Port may not exist yet''': Some realtime attacks (like SIP flood attacks) are detected and blocked before a complete call CDR is created, so the source port may never be available in the database for those specific packets.


For scenarios where you need to block by IP+source port to avoid affecting legitimate traffic from the same IP, the recommended approach is to use CDR-based alerts (RTP alerts, SIP Response alerts) which include the CDR ID and allow database queries. However, this should only be used for non-real-time blocking scenarios due to the inherent delay. For true real-time defense, you must block by IP address only and accept that legitimate traffic from that IP may be temporarily affected.
'''Configuration:'''
* Select target countries/continents to monitor
* Set threshold for number of calls
* Configure notification recipients


=== Common Configuration ===
=== Change CDR Country ===


Shared across some rules:
Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft.


* Enable hyperlinks: Makes email alert titles clickable links to rule definitions.
'''Configuration:'''
* IP include/exclude: Exclude IPs or networks (e.g., 10.0.0.0/8) or use IP groups.
* Whitelist trusted countries (Exclude countries field)
* Suppress repeating alerts: Limit alerts to once per X hours to avoid spamming.
* Apply filters by phone numbers or IP addresses
* Numbers include/exclude: Filter source numbers/prefixes (e.g., general rule for >10 concurrent calls, excluding specific customers).
* External script: Path to server script for execution.
* International prefixes configuration:
  ** International prefixes: Distinguish local/international calls (default: +, 00).
  ** Min international length: Numbers shorter than this are treated as local.
  ** Local numbers are in: Select country for classifying international-prefixed calls as local.


=== SIP REGISTER Flood/Attack ===
=== Change REGISTER Country ===
 
Triggers when >= N registration attempts from an IP occur in set interval.
 
=== Realtime Concurrent Calls ===
 
Tracks source IPs in realtime (not CDR-based) for concurrent calls, aiding against high-channel attacks. Parameters:
 
* Concurrent calls limit: Trigger on international, local, or both exceeding limits.
* Time period rules: Vary alerts by work/after hours (defined in Groups > TimePeriods).
 
=== Change CDR Country ===
 
Triggers on CDR IP source changing country/continent since last call. Parameters:


* Exclude countries from alert: Whitelist countries to skip.
Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking.


=== Change REGISTER Country ===
'''Example:''' User normally registers from Germany but suddenly registers from Russia → alert triggers.


Triggers on SIP REGISTER username changing country/continent since last success. Parameters:
=== Fraud: Sequential ===


* Exclude countries from alert: Whitelist countries to skip.
Detects high-volume sequential calling patterns to destination numbers within a time window.


=== Country/Continent Destination ===
{| class="wikitable"
|-
! Parameter !! Description !! Example Values
|-
| '''interval''' || Time window (seconds) for counting calls || 600 (10 min), 3600 (1 hour)
|-
| '''limit''' || Max calls allowed before alert triggers || 50, 100, 500
|-
| '''number field''' || Target destination number (leave empty for ANY) || Empty or specific number
|}


Triggers on calls to specific country/continent, based on first SIP INVITE (realtime).
{{Warning|1='''Critical:''' Leave the number field '''empty''' to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.}}


=== SIP PACKETS Flood/Attack ===
'''Configuration Steps:'''
# Navigate to '''GUI → Alerts → Anti Fraud'''
# Create new alert with type '''Fraud: sequential'''
# Set '''interval''' (e.g., 600 for 10 minutes)
# Set '''limit''' (e.g., 100 calls)
# '''Leave number field empty''' to apply to ANY number
# Configure recipient email
# Save


Triggers when >= N packets from an IP occur in set interval.
'''Example Configurations:'''


=== Examples of Custom Scripts ===
{| class="wikitable"
|-
! Scenario !! interval !! limit !! number field
|-
| >100 calls to any number in 10 min || 600 || 100 || Empty
|-
| >500 calls to any number in 1 hour || 3600 || 500 || Empty
|-
| >50 calls in 5 min (high-volume attack) || 300 || 50 || Empty
|-
| Monitor specific premium number || 1800 || 200 || Specify number
|}


==== Getting Passed Arguments ====
{{Tip|1='''Fraud: sequential vs concurrent calls:''' Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.}}


'''Example script to log passed info:'''
=== SIP Failed Register ===


#!/bin/bash
Detects brute-force and credential stuffing attacks by monitoring failed registration attempts.
echo $@ >> /tmp/passed_info.txt


Use PHP '''json_decode($argv[4])''' on 4th argument for data.
{| class="wikitable"
|-
! Parameter !! Description
|-
| '''threshold''' || Maximum failed attempts before alert
|-
| '''interval''' || Time window (seconds) for counting attempts
|}


==== Alert Type RTP ====
== GeoIP Integration ==


'''Example to store audio on RTP alert:'''
Anti-fraud alerts require GeoIP for IP-to-country resolution.


#!/usr/bin/php
'''Configuration:''' GUI → Settings → System Configuration → GeoIP
<?php
#var_dump($argv);
$directory='/home/alerts/audio'; #where to store audio from alerts that triggered?
$date=trim(`date '+%Y-%m-%d'`); #It will be stored to subdir date in this format YYYY-MM-DD
$guiDir='/var/www/voipmonitor'; #where is GUI installed
$destdir=$directory.'/'.$date;
`mkdir -p $destdir`;
$alert= json_decode($argv[4]);
foreach ($alert->cdr as $cdr) {
        $params = '{\"task\":\"getVoiceRecording\", \"user\": \"admin\", \"password\": \"admin\", \"params\": {\"cdrId\": "'.$cdr.'"}}';
        $command = "php $guiDir/php/api.php > $destdir/file_id_$cdr.pcap";
        exec( "echo $params | $command", $arr, $val);
}
?>


'''Example to block IP on remote host if > limit CDRs per caller IP:'''
'''Processing priority (fallback mechanism):'''
# MaxMind API (commercial, highest accuracy)
# IPInfoDB API
# Local GeoIP database (GeoIPCity.dat or MySQL tables)
# Free portals (backup)


#!/usr/bin/php
For detailed GeoIP configuration, see [[Order_of_GeoIP_processing]].
<?php
## Settings
$Limit = 19;
$blockCommand = "ssh root@pbx -p2112 ipset add blacklist";
$verbose = 1; #1 set: script will do nothing just print results, 0 set: script will do the command and print nothing to stdout
$alertsData=(json_decode($argv[4]));
#prepare string of CDRsIDs for query command
$cdrIds=$alertsData->cdr;
$out='';
foreach ($cdrIds as $id) $out .= "$id,";
$out = substr($out,0,-1);
$query="select INET_NTOA(sipcallerip),count(*) as incidents from voipmonitor.cdr where id in (".$out.") group by INET_NTOA(sipcallerip) order by incidents desc\G";
$command="mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'";
## END of settings
#call query and get results
exec($command, $arr);
#parse results
$resultip=array();
foreach ($arr as $nth => $line) {
        if (strpos($line,'INET') === FALSE) continue;
        $pos=strpos($line,":");
        $resultip[]=substr($line,$pos+2);
        $resultcnt[]=substr($arr[$nth+1],strpos($arr[$nth+1],":")+2);
}
#print ips and counts if exists and exceeded limit
if (!count($resultip)) exit;
foreach ($resultip as $n => $ip) {
        if ($resultcnt[$n] > $Limit) {
                if ($verbose) echo ("$ip : $resultcnt[$n], results in\n$blockCommand $ip\n\n");
                else exec ($blockCommand." $ip",$ar,$rc);
        }
}
?>


==== Alert Type Realtime Concurrent Calls ====
== Best Practices ==


'''Example to block IP on concurrent calls alert:'''
* '''Toll fraud prevention:''' Configure Country/Continent Destination alerts for premium rate countries
* '''Account protection:''' Enable Change REGISTER Country for all critical accounts
* '''Brute-force protection:''' Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds)
* '''Volume monitoring:''' Use Fraud: sequential with empty number field to catch attacks on any destination
* '''Granular control:''' Combine with [[Groups|IP Groups]] for provider-specific monitoring


Note: Use "By caller IP" in alert settings to pass attacker IP.
== See Also ==


#!/usr/bin/php
* [[Alerts]] - General alert configuration and email setup
<?php
* [[Order_of_GeoIP_processing]] - GeoIP configuration details
#echo "DECODE PARENT INFO\n";
* [[Groups]] - IP and telephone number groups for filtering
#print_r(json_decode($argv[2]));
* [[Register]] - SIP registration monitoring
#echo "DECODE RULES INFO\n";
$triggedRules = json_decode($argv[4]);
#number of tresspass of address
$IPtriggers=array();
foreach ( $triggedRules as $rule ) { //for each triggererd rule
        $keyIP = $rule->alert_info->ip; //get 'source ip which triggered rule' will used as key.
        $when = $rule->at; //get 'when this rule triggered?'
# $type = $rule->alert_info->local_international; //get type enum 'was "local" or "international" or "local & international" limits exceeded?'
# if (!isset ( $rule->alert_info->timeperiod_name )) { //get name of time-period rule which was triggered, if name isn't set its main parent rule.
# $name = "Parent rule";
# } else {
# $name = $rule->alert_info->timeperiod_name;
# }
# print "\n\nName: $name\nat : $when\nType: $type";
        if ( !isset ( $IPtriggers[$keyIP] )) {
                $IPtriggers[$keyIP] = 1;
        } else {
                $IPtriggers[$keyIP] += 1;
        }
}
#echo "\n\nShow how many rules theese Adressess triggered?\n";
#print_r ($IPtriggers);
#echo "Block all adresses that trigged any rule.\n";
foreach ( $IPtriggers as $IPKey => $nmGuilt ) {
# echo "Blocking address: $IPKey\n";
        passthru ('iptables -A INPUT -s '.$IPKey.' -j DROP', $ret);
        if ( $ret <> 0 ) {
                echo ("Problem setting firewall!\n");
                exit (1);
        }
}
?>


=== AI Summary for RAG ===
== AI Summary for RAG ==


'''Summary:''' This article details VoIPmonitor's anti-fraud rules for detecting attacks like floods, concurrent calls, and country changes. It covers common configs, specific rule parameters, custom scripts for actions, and examples for RTP and concurrent calls alerts. Important note: realtime alerts do not provide source port in their output, and querying the database for source port is not suitable for real-time blocking due to delays between alert trigger and CDR creation.
'''Summary:''' VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority.


'''Keywords:''' anti-fraud rules, fraud alerts, watchdog, concurrent calls, SIP REGISTER flood, SIP PACKETS flood, country change, custom scripts, international prefixes, time periods, realtime alerts, source port, CDR-based alerts
'''Keywords:''' anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring


'''Key Questions:'''
'''Key Questions:'''
* What anti-fraud rules are available in VoIPmonitor?
* How do I configure anti-fraud alerts in VoIPmonitor?
* How do common configurations like IP exclude or suppress alerts work?
* How do I detect toll fraud in VoIPmonitor?
* What triggers a SIP REGISTER flood alert?
* What is the Fraud: sequential alert and how do I configure it?
* How does realtime concurrent calls tracking function?
* How do I detect high volume calls to any destination number?
* What are examples of custom scripts for alerts?
* Should I leave the number field empty in Fraud: sequential?
* How to configure international call detection?
* What is the difference between Fraud: sequential and concurrent calls alerts?
* Why is source port not available in realtime alert output?
* How do I detect account hijacking in VoIPmonitor?
* What is the difference between realtime alerts and CDR-based alerts?
* How do I configure alerts for international calls?
* What is the Change REGISTER Country alert?
* How do I detect brute-force attacks on SIP registration?
* How does VoIPmonitor use GeoIP for fraud detection?

Latest revision as of 16:47, 8 January 2026


Anti-Fraud Detection

VoIPmonitor provides GeoIP-based anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks.

Configuration

All anti-fraud alerts are configured in GUI → Alerts → Anti Fraud.

ℹ️ Note: Anti-fraud features require GeoIP configuration. See GeoIP Integration below.

Alert Types

Country/Continent Destination

Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls.

Configuration:

  • Select target countries/continents to monitor
  • Set threshold for number of calls
  • Configure notification recipients

Change CDR Country

Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft.

Configuration:

  • Whitelist trusted countries (Exclude countries field)
  • Apply filters by phone numbers or IP addresses

Change REGISTER Country

Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking.

Example: User normally registers from Germany but suddenly registers from Russia → alert triggers.

Fraud: Sequential

Detects high-volume sequential calling patterns to destination numbers within a time window.

Parameter Description Example Values
interval Time window (seconds) for counting calls 600 (10 min), 3600 (1 hour)
limit Max calls allowed before alert triggers 50, 100, 500
number field Target destination number (leave empty for ANY) Empty or specific number

⚠️ Warning: Critical: Leave the number field empty to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.

Configuration Steps:

  1. Navigate to GUI → Alerts → Anti Fraud
  2. Create new alert with type Fraud: sequential
  3. Set interval (e.g., 600 for 10 minutes)
  4. Set limit (e.g., 100 calls)
  5. Leave number field empty to apply to ANY number
  6. Configure recipient email
  7. Save

Example Configurations:

Scenario interval limit number field
>100 calls to any number in 10 min 600 100 Empty
>500 calls to any number in 1 hour 3600 500 Empty
>50 calls in 5 min (high-volume attack) 300 50 Empty
Monitor specific premium number 1800 200 Specify number

💡 Tip: Fraud: sequential vs concurrent calls: Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.

SIP Failed Register

Detects brute-force and credential stuffing attacks by monitoring failed registration attempts.

Parameter Description
threshold Maximum failed attempts before alert
interval Time window (seconds) for counting attempts

GeoIP Integration

Anti-fraud alerts require GeoIP for IP-to-country resolution.

Configuration: GUI → Settings → System Configuration → GeoIP

Processing priority (fallback mechanism):

  1. MaxMind API (commercial, highest accuracy)
  2. IPInfoDB API
  3. Local GeoIP database (GeoIPCity.dat or MySQL tables)
  4. Free portals (backup)

For detailed GeoIP configuration, see Order_of_GeoIP_processing.

Best Practices

  • Toll fraud prevention: Configure Country/Continent Destination alerts for premium rate countries
  • Account protection: Enable Change REGISTER Country for all critical accounts
  • Brute-force protection: Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds)
  • Volume monitoring: Use Fraud: sequential with empty number field to catch attacks on any destination
  • Granular control: Combine with IP Groups for provider-specific monitoring

See Also

AI Summary for RAG

Summary: VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority.

Keywords: anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring

Key Questions:

  • How do I configure anti-fraud alerts in VoIPmonitor?
  • How do I detect toll fraud in VoIPmonitor?
  • What is the Fraud: sequential alert and how do I configure it?
  • How do I detect high volume calls to any destination number?
  • Should I leave the number field empty in Fraud: sequential?
  • What is the difference between Fraud: sequential and concurrent calls alerts?
  • How do I detect account hijacking in VoIPmonitor?
  • How do I configure alerts for international calls?
  • What is the Change REGISTER Country alert?
  • How do I detect brute-force attacks on SIP registration?
  • How does VoIPmonitor use GeoIP for fraud detection?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Anti-fraud&oldid=10024"