Anti-fraud: Difference between revisions

From VoIPmonitor.org
(Major restructure: add PlantUML diagram, convert indented code to syntaxhighlight, add tables, improve PHP formatting, streamline AI summary)
(Rewrite: cleaner structure, added diagram, consolidated content)
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{DISPLAYTITLE:Anti-Fraud Rules}}
{{DISPLAYTITLE:Anti-Fraud Detection}}
Category:GUI manual
[[Category:Configuration]]
[[Category:Alerts]]


== Anti-Fraud Rules ==
= Anti-Fraud Detection =


Anti-fraud rules are accessed via '''GUI > Alerts > Anti Fraud'''. Rules combat fraud and attacks, with ongoing additions. Each rule supports custom scripts for actions like firewall rules, besides email alerts. Alerts are archived in Sent Alerts.
VoIPmonitor provides GeoIP-based anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks.


=== Overview ===
<kroki lang="mermaid">
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 30}}}%%
flowchart LR
    subgraph Detection
        A[CDR/Register Data] --> B{GeoIP Lookup}
        B --> C[Country/IP Analysis]
    end
    subgraph Alert Types
        C --> D[Country Destination]
        C --> E[CDR Country Change]
        C --> F[Register Country Change]
        C --> G[Sequential Pattern]
        C --> H[Failed Register]
    end
    subgraph Response
        D & E & F & G & H --> I[Email Alert]
    end
</kroki>


<kroki lang="plantuml">
== Configuration ==
@startuml
skinparam shadowing false
skinparam defaultFontName Arial


rectangle "VoIPmonitor\nSensor" as sensor
All anti-fraud alerts are configured in '''GUI → Alerts → Anti Fraud'''.
rectangle "Realtime\nDetection" as realtime
rectangle "CDR-based\nDetection" as cdr_detect
database "MySQL" as db
rectangle "Alert\nProcessor" as processor
rectangle "Custom\nScript" as script
rectangle "Firewall\n(iptables)" as fw
rectangle "Email\nNotification" as email


sensor --> realtime : SIP packets
{{Note|1=Anti-fraud features require GeoIP configuration. See [[#GeoIP Integration|GeoIP Integration]] below.}}
sensor --> db : CDRs
realtime --> processor : Immediate trigger
db --> cdr_detect : Query
cdr_detect --> processor : Threshold exceeded
processor --> script : Execute action
processor --> email : Send alert
script --> fw : Block IP
@enduml
</kroki>


=== List of Fraud/Watchdog Alerts ===
== Alert Types ==


{| class="wikitable"
=== Country/Continent Destination ===
|-
! Alert Type !! Processing !! Description
|-
| Realtime concurrent calls || Realtime || Monitors concurrent calls per source IP
|-
| SIP REGISTER flood/attack || Realtime || Detects REGISTER flooding
|-
| SIP PACKETS flood/attack || Realtime || Detects generic SIP packet floods
|-
| Change CDR country || CDR-based || IP geolocation changed between calls
|-
| Change REGISTER country || CDR-based || REGISTER source country changed
|-
| Country/Continent destination || Realtime || Calls to specific destinations
|-
| [[Billing#Watchdog|Billing Watchdog]] || CDR-based || Billing anomaly detection
|}


=== Alert Processing Differences ===
Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls.


VoIPmonitor processes alerts in two different ways:
'''Configuration:'''
* Select target countries/continents to monitor
* Set threshold for number of calls
* Configure notification recipients


;Realtime alerts:
=== Change CDR Country ===
:Processed directly by the sniffer as packets arrive. Triggered immediately based on packet inspection but CDRs are not yet available.
:* Realtime concurrent calls
:* SIP REGISTER flood
:* SIP PACKETS flood


;CDR-based alerts:
Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft.
:Evaluated by the GUI after CDRs have been stored in the database.
:* Change CDR country
:* Change REGISTER country
:* Country/Continent destination
:* RTP alerts
:* SIP Response alerts


==== Important Limitation: Source Port in Realtime Alerts ====
'''Configuration:'''
* Whitelist trusted countries (Exclude countries field)
* Apply filters by phone numbers or IP addresses


Realtime alerts provide the attacker's IP address in the <code>alert_info</code> object, but do '''not''' include the SIP source port.
=== Change REGISTER Country ===


The source port can be queried from <code>cdr.caller_port</code> in the database, but this has critical limitations:
Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking.
* '''Delay''': CDRs are written after the realtime alert triggers, adding latency
* '''Port may not exist''': Flood attacks may be detected before CDR creation


'''Recommendation:'''
'''Example:''' User normally registers from Germany but suddenly registers from Russia → alert triggers.
* For real-time defense: Block by IP address only
* For non-real-time blocking: Use CDR-based alerts with database queries


=== Common Configuration ===
=== Fraud: Sequential ===


Options shared across anti-fraud rules:
Detects high-volume sequential calling patterns to destination numbers within a time window.


{| class="wikitable"
{| class="wikitable"
|-
|-
! Option !! Description
! Parameter !! Description !! Example Values
|-
| Enable hyperlinks || Makes email alert titles clickable links to rule definitions
|-
| IP include/exclude || Exclude IPs or networks (e.g., <code>10.0.0.0/8</code>) or use IP groups
|-
|-
| Suppress repeating alerts || Limit alerts to once per X hours to avoid spamming
| '''interval''' || Time window (seconds) for counting calls || 600 (10 min), 3600 (1 hour)
|-
|-
| Numbers include/exclude || Filter source numbers/prefixes
| '''limit''' || Max calls allowed before alert triggers || 50, 100, 500
|-
|-
| External script || Path to custom script for automated actions
| '''number field''' || Target destination number (leave empty for ANY) || Empty or specific number
|}
|}


'''International prefixes configuration:'''
{{Warning|1='''Critical:''' Leave the number field '''empty''' to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.}}
* '''International prefixes''': Distinguish local/international calls (default: <code>+</code>, <code>00</code>)
* '''Min international length''': Numbers shorter than this are treated as local
* '''Local numbers are in''': Country for classifying international-prefixed calls as local


=== SIP REGISTER Flood/Attack ===
'''Configuration Steps:'''
# Navigate to '''GUI → Alerts → Anti Fraud'''
# Create new alert with type '''Fraud: sequential'''
# Set '''interval''' (e.g., 600 for 10 minutes)
# Set '''limit''' (e.g., 100 calls)
# '''Leave number field empty''' to apply to ANY number
# Configure recipient email
# Save


Triggers when >= N registration attempts from an IP occur within the set interval.
'''Example Configurations:'''


==== Mitigation Strategies ====
{| class="wikitable"
|-
! Scenario !! interval !! limit !! number field
|-
| >100 calls to any number in 10 min || 600 || 100 || Empty
|-
| >500 calls to any number in 1 hour || 3600 || 500 || Empty
|-
| >50 calls in 5 min (high-volume attack) || 300 || 50 || Empty
|-
| Monitor specific premium number || 1800 || 200 || Specify number
|}


When SIP REGISTER floods cause excessive CPU usage or system unresponsiveness:
{{Tip|1='''Fraud: sequential vs concurrent calls:''' Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.}}


===== 1. Immediate Blocking via Custom Scripts =====
=== SIP Failed Register ===


Configure a custom script in the SIP REGISTER flood alert rule to automatically block the attacker IP. The <code>alert_info</code> object contains the attacker's IP address.
Detects brute-force and credential stuffing attacks by monitoring failed registration attempts.


Block using iptables:
{| class="wikitable"
<syntaxhighlight lang="bash">
|-
iptables -A INPUT -s <ATTACKER_IP> -j DROP
! Parameter !! Description
</syntaxhighlight>
|-
 
| '''threshold''' || Maximum failed attempts before alert
Block using ipset (more efficient for multiple IPs):
|-
<syntaxhighlight lang="bash">
| '''interval''' || Time window (seconds) for counting attempts
ipset add blacklist <ATTACKER_IP>
|}
</syntaxhighlight>
 
===== 2. Network Edge Blocking (Recommended) =====
 
For long-term protection, block at your network edge:
* '''Session Border Controller (SBC)''': Configure rate limiting and IP blocking
* '''Firewall''': Block malicious IPs at the perimeter before reaching VoIPmonitor
* '''Fail2ban''': Automatically block IPs after repeated REGISTER failures
 
===== 3. Reducing REGISTER Noise =====
 
* Disable REGISTER processing if not needed: <code>sip-register = no</code> in <code>voipmonitor.conf</code>
* Filter REGISTER packets using firewall rules
* Use [[Capture_rules|capture rules]] to exclude known good REGISTER sources
 
=== Realtime Concurrent Calls ===
 
Tracks source IPs in realtime (not CDR-based) for concurrent calls. Useful against high-channel attacks.
 
;Parameters:
:* '''Concurrent calls limit''': Trigger on international, local, or both exceeding limits
:* '''Time period rules''': Vary alerts by work/after hours (defined in '''Groups > TimePeriods''')
 
=== Change CDR Country ===
 
Triggers when CDR IP source changes country/continent since last call.
 
;Parameters:
:* '''Exclude countries from alert''': Whitelist countries to skip
 
=== Change REGISTER Country ===
 
Triggers when SIP REGISTER username changes country/continent since last successful registration.
 
;Parameters:
:* '''Exclude countries from alert''': Whitelist countries to skip
 
=== Country/Continent Destination ===
 
Triggers on calls to specific country/continent, based on first SIP INVITE (realtime processing).
 
=== SIP PACKETS Flood/Attack ===
 
Triggers when >= N packets from an IP occur within the set interval.
 
=== Custom Script Examples ===
 
Custom scripts receive alert data as command-line arguments. Use <code>json_decode($argv[4])</code> in PHP to parse the alert data.
 
==== Logging Passed Arguments ====
 
Simple script to log all arguments for debugging:
 
<syntaxhighlight lang="bash">
#!/bin/bash
echo "$@" >> /tmp/passed_info.txt
</syntaxhighlight>
 
==== RTP Alert: Store Audio Files ====
 
Script to automatically download audio for calls that triggered an RTP alert:
 
<syntaxhighlight lang="php">
#!/usr/bin/php
<?php
// Configuration
$directory = '/home/alerts/audio';
$date = trim(`date '+%Y-%m-%d'`);
$guiDir = '/var/www/voipmonitor';
$destdir = $directory . '/' . $date;
 
// Create destination directory
`mkdir -p $destdir`;
 
// Parse alert data
$alert = json_decode($argv[4]);
 
// Download audio for each CDR in the alert
foreach ($alert->cdr as $cdr) {
    $params = '{"task":"getVoiceRecording", "user": "admin", "password": "admin", "params": {"cdrId": "' . $cdr . '"}}';
    $command = "php $guiDir/php/api.php > $destdir/file_id_$cdr.pcap";
    exec("echo $params | $command", $arr, $val);
}
?>
</syntaxhighlight>
 
==== RTP Alert: Block IP After Threshold ====
 
Script to block IPs that exceed a threshold number of alerts:
 
<syntaxhighlight lang="php">
#!/usr/bin/php
<?php
// Configuration
$Limit = 19;
$blockCommand = "ssh root@pbx -p2112 ipset add blacklist";
$verbose = 1;  // 1 = dry-run (print only), 0 = execute blocking
 
// Parse alert data
$alertsData = json_decode($argv[4]);
 
// Build list of CDR IDs
$cdrIds = $alertsData->cdr;
$out = '';
foreach ($cdrIds as $id) {
    $out .= "$id,";
}
$out = substr($out, 0, -1);
 
// Query database for caller IPs and incident counts
$query = "SELECT INET_NTOA(sipcallerip), COUNT(*) as incidents
          FROM voipmonitor.cdr
          WHERE id IN ($out)
          GROUP BY INET_NTOA(sipcallerip)
          ORDER BY incidents DESC\\G";
$command = "mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'";
exec($command, $arr);
 
// Parse results
$resultip = array();
$resultcnt = array();
foreach ($arr as $nth => $line) {
    if (strpos($line, 'INET') === FALSE) continue;
    $pos = strpos($line, ":");
    $resultip[] = substr($line, $pos + 2);
    $resultcnt[] = substr($arr[$nth + 1], strpos($arr[$nth + 1], ":") + 2);
}


// Block IPs that exceed limit
== GeoIP Integration ==
if (!count($resultip)) exit;
foreach ($resultip as $n => $ip) {
    if ($resultcnt[$n] > $Limit) {
        if ($verbose) {
            echo "$ip : $resultcnt[$n] incidents\n$blockCommand $ip\n\n";
        } else {
            exec($blockCommand . " $ip", $ar, $rc);
        }
    }
}
?>
</syntaxhighlight>


==== Concurrent Calls: Block Attacker IP ====
Anti-fraud alerts require GeoIP for IP-to-country resolution.


Script for blocking IPs based on concurrent calls alert. Enable "By caller IP" in alert settings.
'''Configuration:''' GUI → Settings → System Configuration → GeoIP


<syntaxhighlight lang="php">
'''Processing priority (fallback mechanism):'''
#!/usr/bin/php
# MaxMind API (commercial, highest accuracy)
<?php
# IPInfoDB API
// Parse triggered rules
# Local GeoIP database (GeoIPCity.dat or MySQL tables)
$triggedRules = json_decode($argv[4]);
# Free portals (backup)


// Count triggers per IP address
For detailed GeoIP configuration, see [[Order_of_GeoIP_processing]].
$IPtriggers = array();
foreach ($triggedRules as $rule) {
    $keyIP = $rule->alert_info->ip;
    $when = $rule->at;


    if (!isset($IPtriggers[$keyIP])) {
== Best Practices ==
        $IPtriggers[$keyIP] = 1;
    } else {
        $IPtriggers[$keyIP] += 1;
    }
}


// Block all IPs that triggered any rule
* '''Toll fraud prevention:''' Configure Country/Continent Destination alerts for premium rate countries
foreach ($IPtriggers as $IPKey => $nmGuilt) {
* '''Account protection:''' Enable Change REGISTER Country for all critical accounts
    passthru('iptables -A INPUT -s ' . $IPKey . ' -j DROP', $ret);
* '''Brute-force protection:''' Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds)
    if ($ret != 0) {
* '''Volume monitoring:''' Use Fraud: sequential with empty number field to catch attacks on any destination
        echo "Problem setting firewall!\n";
* '''Granular control:''' Combine with [[Groups|IP Groups]] for provider-specific monitoring
        exit(1);
    }
}
?>
</syntaxhighlight>


=== See Also ===
== See Also ==


* [[Alerts|Alerts & Reports]] - General alert configuration
* [[Alerts]] - General alert configuration and email setup
* [[Capture_rules|Capture Rules]] - Filter traffic before processing
* [[Order_of_GeoIP_processing]] - GeoIP configuration details
* [[Sniffer_configuration|Sniffer Configuration]] - <code>sip-register</code> and other options
* [[Groups]] - IP and telephone number groups for filtering
* [[Register]] - SIP registration monitoring


== AI Summary for RAG ==
== AI Summary for RAG ==


'''Summary:''' VoIPmonitor anti-fraud rules for detecting SIP attacks (REGISTER floods, packet floods), concurrent calls abuse, and geographic anomalies. Includes realtime vs CDR-based alert differences, custom script examples for automated IP blocking, and mitigation strategies.
'''Summary:''' VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority.


'''Keywords:''' anti-fraud, REGISTER flood, SIP attack, concurrent calls, country change, custom scripts, iptables, ipset, fail2ban, realtime alerts, CDR-based alerts
'''Keywords:''' anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring


'''Key Questions:'''
'''Key Questions:'''
* What anti-fraud alerts are available in VoIPmonitor?
* How do I configure anti-fraud alerts in VoIPmonitor?
* How to block SIP REGISTER flood attacks?
* How do I detect toll fraud in VoIPmonitor?
* What is the difference between realtime and CDR-based alerts?
* What is the Fraud: sequential alert and how do I configure it?
* How to create custom scripts for automated IP blocking?
* How do I detect high volume calls to any destination number?
* Why is source port not available in realtime alerts?
* Should I leave the number field empty in Fraud: sequential?
* What is the difference between Fraud: sequential and concurrent calls alerts?
* How do I detect account hijacking in VoIPmonitor?
* How do I configure alerts for international calls?
* What is the Change REGISTER Country alert?
* How do I detect brute-force attacks on SIP registration?
* How does VoIPmonitor use GeoIP for fraud detection?

Latest revision as of 16:47, 8 January 2026


Anti-Fraud Detection

VoIPmonitor provides GeoIP-based anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks.

Configuration

All anti-fraud alerts are configured in GUI → Alerts → Anti Fraud.

ℹ️ Note: Anti-fraud features require GeoIP configuration. See GeoIP Integration below.

Alert Types

Country/Continent Destination

Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls.

Configuration:

  • Select target countries/continents to monitor
  • Set threshold for number of calls
  • Configure notification recipients

Change CDR Country

Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft.

Configuration:

  • Whitelist trusted countries (Exclude countries field)
  • Apply filters by phone numbers or IP addresses

Change REGISTER Country

Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking.

Example: User normally registers from Germany but suddenly registers from Russia → alert triggers.

Fraud: Sequential

Detects high-volume sequential calling patterns to destination numbers within a time window.

Parameter Description Example Values
interval Time window (seconds) for counting calls 600 (10 min), 3600 (1 hour)
limit Max calls allowed before alert triggers 50, 100, 500
number field Target destination number (leave empty for ANY) Empty or specific number

⚠️ Warning: Critical: Leave the number field empty to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.

Configuration Steps:

  1. Navigate to GUI → Alerts → Anti Fraud
  2. Create new alert with type Fraud: sequential
  3. Set interval (e.g., 600 for 10 minutes)
  4. Set limit (e.g., 100 calls)
  5. Leave number field empty to apply to ANY number
  6. Configure recipient email
  7. Save

Example Configurations:

Scenario interval limit number field
>100 calls to any number in 10 min 600 100 Empty
>500 calls to any number in 1 hour 3600 500 Empty
>50 calls in 5 min (high-volume attack) 300 50 Empty
Monitor specific premium number 1800 200 Specify number

💡 Tip: Fraud: sequential vs concurrent calls: Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.

SIP Failed Register

Detects brute-force and credential stuffing attacks by monitoring failed registration attempts.

Parameter Description
threshold Maximum failed attempts before alert
interval Time window (seconds) for counting attempts

GeoIP Integration

Anti-fraud alerts require GeoIP for IP-to-country resolution.

Configuration: GUI → Settings → System Configuration → GeoIP

Processing priority (fallback mechanism):

  1. MaxMind API (commercial, highest accuracy)
  2. IPInfoDB API
  3. Local GeoIP database (GeoIPCity.dat or MySQL tables)
  4. Free portals (backup)

For detailed GeoIP configuration, see Order_of_GeoIP_processing.

Best Practices

  • Toll fraud prevention: Configure Country/Continent Destination alerts for premium rate countries
  • Account protection: Enable Change REGISTER Country for all critical accounts
  • Brute-force protection: Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds)
  • Volume monitoring: Use Fraud: sequential with empty number field to catch attacks on any destination
  • Granular control: Combine with IP Groups for provider-specific monitoring

See Also

AI Summary for RAG

Summary: VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority.

Keywords: anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring

Key Questions:

  • How do I configure anti-fraud alerts in VoIPmonitor?
  • How do I detect toll fraud in VoIPmonitor?
  • What is the Fraud: sequential alert and how do I configure it?
  • How do I detect high volume calls to any destination number?
  • Should I leave the number field empty in Fraud: sequential?
  • What is the difference between Fraud: sequential and concurrent calls alerts?
  • How do I detect account hijacking in VoIPmonitor?
  • How do I configure alerts for international calls?
  • What is the Change REGISTER Country alert?
  • How do I detect brute-force attacks on SIP registration?
  • How does VoIPmonitor use GeoIP for fraud detection?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Anti-fraud&oldid=10024"