Anti-fraud: Difference between revisions
(Review: opravy formátování nadpisů (chybějící uzavírací =) a kategorie) Tag: Blanking |
(Rewrite: cleaner structure, added diagram, consolidated content) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{DISPLAYTITLE:Anti-Fraud Detection}} | |||
[[Category:Configuration]] | |||
[[Category:Alerts]] | |||
= Anti-Fraud Detection = | |||
VoIPmonitor provides GeoIP-based anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks. | |||
<kroki lang="mermaid"> | |||
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 30}}}%% | |||
flowchart LR | |||
subgraph Detection | |||
A[CDR/Register Data] --> B{GeoIP Lookup} | |||
B --> C[Country/IP Analysis] | |||
end | |||
subgraph Alert Types | |||
C --> D[Country Destination] | |||
C --> E[CDR Country Change] | |||
C --> F[Register Country Change] | |||
C --> G[Sequential Pattern] | |||
C --> H[Failed Register] | |||
end | |||
subgraph Response | |||
D & E & F & G & H --> I[Email Alert] | |||
end | |||
</kroki> | |||
== Configuration == | |||
All anti-fraud alerts are configured in '''GUI → Alerts → Anti Fraud'''. | |||
{{Note|1=Anti-fraud features require GeoIP configuration. See [[#GeoIP Integration|GeoIP Integration]] below.}} | |||
== Alert Types == | |||
=== Country/Continent Destination === | |||
Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls. | |||
'''Configuration:''' | |||
* Select target countries/continents to monitor | |||
* Set threshold for number of calls | |||
* Configure notification recipients | |||
=== Change CDR Country === | |||
Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft. | |||
'''Configuration:''' | |||
* Whitelist trusted countries (Exclude countries field) | |||
* Apply filters by phone numbers or IP addresses | |||
=== Change REGISTER Country === | |||
Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking. | |||
'''Example:''' User normally registers from Germany but suddenly registers from Russia → alert triggers. | |||
=== Fraud: Sequential === | |||
Detects high-volume sequential calling patterns to destination numbers within a time window. | |||
{| class="wikitable" | |||
|- | |||
! Parameter !! Description !! Example Values | |||
|- | |||
| '''interval''' || Time window (seconds) for counting calls || 600 (10 min), 3600 (1 hour) | |||
|- | |||
| '''limit''' || Max calls allowed before alert triggers || 50, 100, 500 | |||
|- | |||
| '''number field''' || Target destination number (leave empty for ANY) || Empty or specific number | |||
|} | |||
{{Warning|1='''Critical:''' Leave the number field '''empty''' to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.}} | |||
'''Configuration Steps:''' | |||
# Navigate to '''GUI → Alerts → Anti Fraud''' | |||
# Create new alert with type '''Fraud: sequential''' | |||
# Set '''interval''' (e.g., 600 for 10 minutes) | |||
# Set '''limit''' (e.g., 100 calls) | |||
# '''Leave number field empty''' to apply to ANY number | |||
# Configure recipient email | |||
# Save | |||
'''Example Configurations:''' | |||
{| class="wikitable" | |||
|- | |||
! Scenario !! interval !! limit !! number field | |||
|- | |||
| >100 calls to any number in 10 min || 600 || 100 || Empty | |||
|- | |||
| >500 calls to any number in 1 hour || 3600 || 500 || Empty | |||
|- | |||
| >50 calls in 5 min (high-volume attack) || 300 || 50 || Empty | |||
|- | |||
| Monitor specific premium number || 1800 || 200 || Specify number | |||
|} | |||
{{Tip|1='''Fraud: sequential vs concurrent calls:''' Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.}} | |||
=== SIP Failed Register === | |||
Detects brute-force and credential stuffing attacks by monitoring failed registration attempts. | |||
{| class="wikitable" | |||
|- | |||
! Parameter !! Description | |||
|- | |||
| '''threshold''' || Maximum failed attempts before alert | |||
|- | |||
| '''interval''' || Time window (seconds) for counting attempts | |||
|} | |||
== GeoIP Integration == | |||
Anti-fraud alerts require GeoIP for IP-to-country resolution. | |||
'''Configuration:''' GUI → Settings → System Configuration → GeoIP | |||
'''Processing priority (fallback mechanism):''' | |||
# MaxMind API (commercial, highest accuracy) | |||
# IPInfoDB API | |||
# Local GeoIP database (GeoIPCity.dat or MySQL tables) | |||
# Free portals (backup) | |||
For detailed GeoIP configuration, see [[Order_of_GeoIP_processing]]. | |||
== Best Practices == | |||
* '''Toll fraud prevention:''' Configure Country/Continent Destination alerts for premium rate countries | |||
* '''Account protection:''' Enable Change REGISTER Country for all critical accounts | |||
* '''Brute-force protection:''' Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds) | |||
* '''Volume monitoring:''' Use Fraud: sequential with empty number field to catch attacks on any destination | |||
* '''Granular control:''' Combine with [[Groups|IP Groups]] for provider-specific monitoring | |||
== See Also == | |||
* [[Alerts]] - General alert configuration and email setup | |||
* [[Order_of_GeoIP_processing]] - GeoIP configuration details | |||
* [[Groups]] - IP and telephone number groups for filtering | |||
* [[Register]] - SIP registration monitoring | |||
== AI Summary for RAG == | |||
'''Summary:''' VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority. | |||
'''Keywords:''' anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring | |||
'''Key Questions:''' | |||
* How do I configure anti-fraud alerts in VoIPmonitor? | |||
* How do I detect toll fraud in VoIPmonitor? | |||
* What is the Fraud: sequential alert and how do I configure it? | |||
* How do I detect high volume calls to any destination number? | |||
* Should I leave the number field empty in Fraud: sequential? | |||
* What is the difference between Fraud: sequential and concurrent calls alerts? | |||
* How do I detect account hijacking in VoIPmonitor? | |||
* How do I configure alerts for international calls? | |||
* What is the Change REGISTER Country alert? | |||
* How do I detect brute-force attacks on SIP registration? | |||
* How does VoIPmonitor use GeoIP for fraud detection? | |||
Latest revision as of 16:47, 8 January 2026
Anti-Fraud Detection
VoIPmonitor provides GeoIP-based anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks.
Configuration
All anti-fraud alerts are configured in GUI → Alerts → Anti Fraud.
ℹ️ Note: Anti-fraud features require GeoIP configuration. See GeoIP Integration below.
Alert Types
Country/Continent Destination
Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls.
Configuration:
- Select target countries/continents to monitor
- Set threshold for number of calls
- Configure notification recipients
Change CDR Country
Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft.
Configuration:
- Whitelist trusted countries (Exclude countries field)
- Apply filters by phone numbers or IP addresses
Change REGISTER Country
Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking.
Example: User normally registers from Germany but suddenly registers from Russia → alert triggers.
Fraud: Sequential
Detects high-volume sequential calling patterns to destination numbers within a time window.
| Parameter | Description | Example Values |
|---|---|---|
| interval | Time window (seconds) for counting calls | 600 (10 min), 3600 (1 hour) |
| limit | Max calls allowed before alert triggers | 50, 100, 500 |
| number field | Target destination number (leave empty for ANY) | Empty or specific number |
⚠️ Warning: Critical: Leave the number field empty to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.
Configuration Steps:
- Navigate to GUI → Alerts → Anti Fraud
- Create new alert with type Fraud: sequential
- Set interval (e.g., 600 for 10 minutes)
- Set limit (e.g., 100 calls)
- Leave number field empty to apply to ANY number
- Configure recipient email
- Save
Example Configurations:
| Scenario | interval | limit | number field |
|---|---|---|---|
| >100 calls to any number in 10 min | 600 | 100 | Empty |
| >500 calls to any number in 1 hour | 3600 | 500 | Empty |
| >50 calls in 5 min (high-volume attack) | 300 | 50 | Empty |
| Monitor specific premium number | 1800 | 200 | Specify number |
💡 Tip: Fraud: sequential vs concurrent calls: Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.
SIP Failed Register
Detects brute-force and credential stuffing attacks by monitoring failed registration attempts.
| Parameter | Description |
|---|---|
| threshold | Maximum failed attempts before alert |
| interval | Time window (seconds) for counting attempts |
GeoIP Integration
Anti-fraud alerts require GeoIP for IP-to-country resolution.
Configuration: GUI → Settings → System Configuration → GeoIP
Processing priority (fallback mechanism):
- MaxMind API (commercial, highest accuracy)
- IPInfoDB API
- Local GeoIP database (GeoIPCity.dat or MySQL tables)
- Free portals (backup)
For detailed GeoIP configuration, see Order_of_GeoIP_processing.
Best Practices
- Toll fraud prevention: Configure Country/Continent Destination alerts for premium rate countries
- Account protection: Enable Change REGISTER Country for all critical accounts
- Brute-force protection: Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds)
- Volume monitoring: Use Fraud: sequential with empty number field to catch attacks on any destination
- Granular control: Combine with IP Groups for provider-specific monitoring
See Also
- Alerts - General alert configuration and email setup
- Order_of_GeoIP_processing - GeoIP configuration details
- Groups - IP and telephone number groups for filtering
- Register - SIP registration monitoring
AI Summary for RAG
Summary: VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority.
Keywords: anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring
Key Questions:
- How do I configure anti-fraud alerts in VoIPmonitor?
- How do I detect toll fraud in VoIPmonitor?
- What is the Fraud: sequential alert and how do I configure it?
- How do I detect high volume calls to any destination number?
- Should I leave the number field empty in Fraud: sequential?
- What is the difference between Fraud: sequential and concurrent calls alerts?
- How do I detect account hijacking in VoIPmonitor?
- How do I configure alerts for international calls?
- What is the Change REGISTER Country alert?
- How do I detect brute-force attacks on SIP registration?
- How does VoIPmonitor use GeoIP for fraud detection?