Anti-fraud: Difference between revisions

From VoIPmonitor.org
(Add SIP REGISTER flood mitigation strategies)
(Major restructure: add PlantUML diagram, convert indented code to syntaxhighlight, add tables, improve PHP formatting, streamline AI summary)
Line 1: Line 1:
{{DISPLAYTITLE:Anti-Fraud Rules}}
Category:GUI manual
== Anti-Fraud Rules ==
== Anti-Fraud Rules ==


Anti-fraud rules are accessed via main menu Alerts > Anti Fraud. Rules combat fraud and attacks, with ongoing additions. Each rule supports custom scripts for actions like firewall rules, besides email alerts. Alerts are archived in Sent Alerts.
Anti-fraud rules are accessed via '''GUI > Alerts > Anti Fraud'''. Rules combat fraud and attacks, with ongoing additions. Each rule supports custom scripts for actions like firewall rules, besides email alerts. Alerts are archived in Sent Alerts.
 
=== Overview ===
 
<kroki lang="plantuml">
@startuml
skinparam shadowing false
skinparam defaultFontName Arial
 
rectangle "VoIPmonitor\nSensor" as sensor
rectangle "Realtime\nDetection" as realtime
rectangle "CDR-based\nDetection" as cdr_detect
database "MySQL" as db
rectangle "Alert\nProcessor" as processor
rectangle "Custom\nScript" as script
rectangle "Firewall\n(iptables)" as fw
rectangle "Email\nNotification" as email
 
sensor --> realtime : SIP packets
sensor --> db : CDRs
realtime --> processor : Immediate trigger
db --> cdr_detect : Query
cdr_detect --> processor : Threshold exceeded
processor --> script : Execute action
processor --> email : Send alert
script --> fw : Block IP
@enduml
</kroki>


=== List of Fraud/Watchdog Alerts ===
=== List of Fraud/Watchdog Alerts ===


* Realtime concurrent calls
{| class="wikitable"
* SIP REGISTER flood / attack
|-
* SIP PACKETS flood / attack
! Alert Type !! Processing !! Description
* Change CDR country
|-
* Change REGISTER country
| Realtime concurrent calls || Realtime || Monitors concurrent calls per source IP
* Country/Continent destination
|-
* [[Billing#Watchdog]]
| SIP REGISTER flood/attack || Realtime || Detects REGISTER flooding
|-
| SIP PACKETS flood/attack || Realtime || Detects generic SIP packet floods
|-
| Change CDR country || CDR-based || IP geolocation changed between calls
|-
| Change REGISTER country || CDR-based || REGISTER source country changed
|-
| Country/Continent destination || Realtime || Calls to specific destinations
|-
| [[Billing#Watchdog|Billing Watchdog]] || CDR-based || Billing anomaly detection
|}


=== Alert Processing Differences ===
=== Alert Processing Differences ===


VoIPmonitor processes alerts in two different ways, which affects what data is available and when:
VoIPmonitor processes alerts in two different ways:


* '''Realtime alerts''' (Realtime concurrent calls, SIP REGISTER flood, SIP PACKETS flood): These are processed directly by the sniffer as packets arrive. They are triggered immediately based on packet inspection but do not have Call Detail Records (CDRs) available yet.
;Realtime alerts:
* '''CDR-based alerts''' (Change CDR country, Change REGISTER country, Country/Continent destination, RTP alerts, SIP Response alerts): These are evaluated by the GUI after CDRs have been stored in the database.
:Processed directly by the sniffer as packets arrive. Triggered immediately based on packet inspection but CDRs are not yet available.
:* Realtime concurrent calls
:* SIP REGISTER flood
:* SIP PACKETS flood


==== Important Limitation: Source Port Not Available in Realtime Alerts ====
;CDR-based alerts:
:Evaluated by the GUI after CDRs have been stored in the database.
:* Change CDR country
:* Change REGISTER country
:* Country/Continent destination
:* RTP alerts
:* SIP Response alerts


Realtime alerts (concurrent calls, REGISTER flood, PACKETS flood) provide the attacker's IP address in the '''alert_info''' object, but do **not** include the SIP source port. The source port can be queried from the database from the '''caller_port''' field in the '''cdr''' table, but this approach has critical limitations:
==== Important Limitation: Source Port in Realtime Alerts ====


* '''Not suitable for real-time blocking''': There is a delay between when the realtime alert triggers and when the CDR (with caller_port) is written to the database. For real-time fraud blocking scenarios, querying the database adds latency that defeats the purpose of immediate blocking.
Realtime alerts provide the attacker's IP address in the <code>alert_info</code> object, but do '''not''' include the SIP source port.
* '''Port may not exist yet''': Some realtime attacks (like SIP flood attacks) are detected and blocked before a complete call CDR is created, so the source port may never be available in the database for those specific packets.


For scenarios where you need to block by IP+source port to avoid affecting legitimate traffic from the same IP, the recommended approach is to use CDR-based alerts (RTP alerts, SIP Response alerts) which include the CDR ID and allow database queries. However, this should only be used for non-real-time blocking scenarios due to the inherent delay. For true real-time defense, you must block by IP address only and accept that legitimate traffic from that IP may be temporarily affected.
The source port can be queried from <code>cdr.caller_port</code> in the database, but this has critical limitations:
* '''Delay''': CDRs are written after the realtime alert triggers, adding latency
* '''Port may not exist''': Flood attacks may be detected before CDR creation
 
'''Recommendation:'''
* For real-time defense: Block by IP address only
* For non-real-time blocking: Use CDR-based alerts with database queries


=== Common Configuration ===
=== Common Configuration ===


Shared across some rules:
Options shared across anti-fraud rules:


* Enable hyperlinks: Makes email alert titles clickable links to rule definitions.
{| class="wikitable"
* IP include/exclude: Exclude IPs or networks (e.g., 10.0.0.0/8) or use IP groups.
|-
* Suppress repeating alerts: Limit alerts to once per X hours to avoid spamming.
! Option !! Description
* Numbers include/exclude: Filter source numbers/prefixes (e.g., general rule for >10 concurrent calls, excluding specific customers).
|-
* External script: Path to server script for execution.
| Enable hyperlinks || Makes email alert titles clickable links to rule definitions
* International prefixes configuration:
|-
  ** International prefixes: Distinguish local/international calls (default: +, 00).
| IP include/exclude || Exclude IPs or networks (e.g., <code>10.0.0.0/8</code>) or use IP groups
  ** Min international length: Numbers shorter than this are treated as local.
|-
  ** Local numbers are in: Select country for classifying international-prefixed calls as local.
| Suppress repeating alerts || Limit alerts to once per X hours to avoid spamming
|-
| Numbers include/exclude || Filter source numbers/prefixes
|-
| External script || Path to custom script for automated actions
|}
 
'''International prefixes configuration:'''
* '''International prefixes''': Distinguish local/international calls (default: <code>+</code>, <code>00</code>)
* '''Min international length''': Numbers shorter than this are treated as local
* '''Local numbers are in''': Country for classifying international-prefixed calls as local


=== SIP REGISTER Flood/Attack ===
=== SIP REGISTER Flood/Attack ===


Triggers when >= N registration attempts from an IP occur in set interval.
Triggers when >= N registration attempts from an IP occur within the set interval.


==== Mitigation Strategies ====
==== Mitigation Strategies ====


When SIP REGISTER floods cause excessive CPU usage or system unresponsiveness, implement these mitigation strategies:
When SIP REGISTER floods cause excessive CPU usage or system unresponsiveness:


'''1. Immediate Blocking via Custom Scripts (VoIPmonitor)'''
===== 1. Immediate Blocking via Custom Scripts =====


Configure a custom script in the SIP REGISTER flood alert rule to automatically block the attacker IP. The '''alert_info''' object contains the attacker's IP address for use in your script.
Configure a custom script in the SIP REGISTER flood alert rule to automatically block the attacker IP. The <code>alert_info</code> object contains the attacker's IP address.


* '''Example: Block using iptables'''
Block using iptables:
  See examples below for PHP script that executes <code>iptables -A INPUT -s <IP> -j DROP</code>
<syntaxhighlight lang="bash">
* '''Example: Block using ipset'''
iptables -A INPUT -s <ATTACKER_IP> -j DROP
  Use <code>ipset add blacklist <IP></code> for efficient blocking of multiple IPs
</syntaxhighlight>


'''2. Network Edge Blocking (Recommended for Prevention)'''
Block using ipset (more efficient for multiple IPs):
<syntaxhighlight lang="bash">
ipset add blacklist <ATTACKER_IP>
</syntaxhighlight>


For long-term protection and better performance, block SIP REGISTER spam at your network edge:
===== 2. Network Edge Blocking (Recommended) =====


* '''Session Border Controller (SBC)''': Configure rate limiting and IP blocking on your SBE
For long-term protection, block at your network edge:
* '''Firewall Rules'': Block known malicious IPs at the perimeter firewall before traffic reaches VoIPmonitor
* '''Session Border Controller (SBC)''': Configure rate limiting and IP blocking
* '''Fail2ban''': Use fail2ban with custom filters to automatically block IPs after repeated REGISTER failures
* '''Firewall''': Block malicious IPs at the perimeter before reaching VoIPmonitor
* '''Fail2ban''': Automatically block IPs after repeated REGISTER failures


'''3. Reducing REGISTER Noise'''
===== 3. Reducing REGISTER Noise =====


To prevent REGISTER floods from overwhelming VoIPmonitor:
* Disable REGISTER processing if not needed: <code>sip-register = no</code> in <code>voipmonitor.conf</code>
 
* Filter REGISTER packets using firewall rules
* Disable REGISTER processing if not needed: Set <code>sip-register = no</code> in <code>voipmonitor.conf</code>
* Use [[Capture_rules|capture rules]] to exclude known good REGISTER sources
* Filter REGISTER packets using firewall rules (block specific countries or networks)
* Use capture rules to exclude known good REGISTER sources from being processed


=== Realtime Concurrent Calls ===
=== Realtime Concurrent Calls ===


Tracks source IPs in realtime (not CDR-based) for concurrent calls, aiding against high-channel attacks. Parameters:
Tracks source IPs in realtime (not CDR-based) for concurrent calls. Useful against high-channel attacks.


* Concurrent calls limit: Trigger on international, local, or both exceeding limits.
;Parameters:
* Time period rules: Vary alerts by work/after hours (defined in Groups > TimePeriods).
:* '''Concurrent calls limit''': Trigger on international, local, or both exceeding limits
:* '''Time period rules''': Vary alerts by work/after hours (defined in '''Groups > TimePeriods''')


=== Change CDR Country ===
=== Change CDR Country ===


Triggers on CDR IP source changing country/continent since last call. Parameters:
Triggers when CDR IP source changes country/continent since last call.


* Exclude countries from alert: Whitelist countries to skip.
;Parameters:
:* '''Exclude countries from alert''': Whitelist countries to skip


=== Change REGISTER Country ===
=== Change REGISTER Country ===


Triggers on SIP REGISTER username changing country/continent since last success. Parameters:
Triggers when SIP REGISTER username changes country/continent since last successful registration.


* Exclude countries from alert: Whitelist countries to skip.
;Parameters:
:* '''Exclude countries from alert''': Whitelist countries to skip


=== Country/Continent Destination ===
=== Country/Continent Destination ===


Triggers on calls to specific country/continent, based on first SIP INVITE (realtime).
Triggers on calls to specific country/continent, based on first SIP INVITE (realtime processing).


=== SIP PACKETS Flood/Attack ===
=== SIP PACKETS Flood/Attack ===


Triggers when >= N packets from an IP occur in set interval.
Triggers when >= N packets from an IP occur within the set interval.
 
=== Custom Script Examples ===
 
Custom scripts receive alert data as command-line arguments. Use <code>json_decode($argv[4])</code> in PHP to parse the alert data.
 
==== Logging Passed Arguments ====
 
Simple script to log all arguments for debugging:
 
<syntaxhighlight lang="bash">
#!/bin/bash
echo "$@" >> /tmp/passed_info.txt
</syntaxhighlight>
 
==== RTP Alert: Store Audio Files ====
 
Script to automatically download audio for calls that triggered an RTP alert:
 
<syntaxhighlight lang="php">
#!/usr/bin/php
<?php
// Configuration
$directory = '/home/alerts/audio';
$date = trim(`date '+%Y-%m-%d'`);
$guiDir = '/var/www/voipmonitor';
$destdir = $directory . '/' . $date;
 
// Create destination directory
`mkdir -p $destdir`;
 
// Parse alert data
$alert = json_decode($argv[4]);
 
// Download audio for each CDR in the alert
foreach ($alert->cdr as $cdr) {
    $params = '{"task":"getVoiceRecording", "user": "admin", "password": "admin", "params": {"cdrId": "' . $cdr . '"}}';
    $command = "php $guiDir/php/api.php > $destdir/file_id_$cdr.pcap";
    exec("echo $params | $command", $arr, $val);
}
?>
</syntaxhighlight>
 
==== RTP Alert: Block IP After Threshold ====
 
Script to block IPs that exceed a threshold number of alerts:


=== Examples of Custom Scripts ===
<syntaxhighlight lang="php">
#!/usr/bin/php
<?php
// Configuration
$Limit = 19;
$blockCommand = "ssh root@pbx -p2112 ipset add blacklist";
$verbose = 1;  // 1 = dry-run (print only), 0 = execute blocking


==== Getting Passed Arguments ====
// Parse alert data
$alertsData = json_decode($argv[4]);


'''Example script to log passed info:'''
// Build list of CDR IDs
$cdrIds = $alertsData->cdr;
$out = '';
foreach ($cdrIds as $id) {
    $out .= "$id,";
}
$out = substr($out, 0, -1);


#!/bin/bash
// Query database for caller IPs and incident counts
echo $@ >> /tmp/passed_info.txt
$query = "SELECT INET_NTOA(sipcallerip), COUNT(*) as incidents
          FROM voipmonitor.cdr
          WHERE id IN ($out)
          GROUP BY INET_NTOA(sipcallerip)
          ORDER BY incidents DESC\\G";
$command = "mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'";
exec($command, $arr);


Use PHP '''json_decode($argv[4])''' on 4th argument for data.
// Parse results
$resultip = array();
$resultcnt = array();
foreach ($arr as $nth => $line) {
    if (strpos($line, 'INET') === FALSE) continue;
    $pos = strpos($line, ":");
    $resultip[] = substr($line, $pos + 2);
    $resultcnt[] = substr($arr[$nth + 1], strpos($arr[$nth + 1], ":") + 2);
}


==== Alert Type RTP ====
// Block IPs that exceed limit
if (!count($resultip)) exit;
foreach ($resultip as $n => $ip) {
    if ($resultcnt[$n] > $Limit) {
        if ($verbose) {
            echo "$ip : $resultcnt[$n] incidents\n$blockCommand $ip\n\n";
        } else {
            exec($blockCommand . " $ip", $ar, $rc);
        }
    }
}
?>
</syntaxhighlight>


'''Example to store audio on RTP alert:'''
==== Concurrent Calls: Block Attacker IP ====


#!/usr/bin/php
Script for blocking IPs based on concurrent calls alert. Enable "By caller IP" in alert settings.
<?php
#var_dump($argv);
$directory='/home/alerts/audio'; #where to store audio from alerts that triggered?
$date=trim(`date '+%Y-%m-%d'`); #It will be stored to subdir date in this format YYYY-MM-DD
$guiDir='/var/www/voipmonitor'; #where is GUI installed
$destdir=$directory.'/'.$date;
`mkdir -p $destdir`;
$alert= json_decode($argv[4]);
foreach ($alert->cdr as $cdr) {
        $params = '{\"task\":\"getVoiceRecording\", \"user\": \"admin\", \"password\": \"admin\", \"params\": {\"cdrId\": "'.$cdr.'"}}';
        $command = "php $guiDir/php/api.php > $destdir/file_id_$cdr.pcap";
        exec( "echo $params | $command", $arr, $val);
}
?>


'''Example to block IP on remote host if > limit CDRs per caller IP:'''
<syntaxhighlight lang="php">
#!/usr/bin/php
<?php
// Parse triggered rules
$triggedRules = json_decode($argv[4]);


#!/usr/bin/php
// Count triggers per IP address
<?php
$IPtriggers = array();
## Settings
foreach ($triggedRules as $rule) {
$Limit = 19;
    $keyIP = $rule->alert_info->ip;
$blockCommand = "ssh root@pbx -p2112 ipset add blacklist";
    $when = $rule->at;
$verbose = 1; #1 set: script will do nothing just print results, 0 set: script will do the command and print nothing to stdout
$alertsData=(json_decode($argv[4]));
#prepare string of CDRsIDs for query command
$cdrIds=$alertsData->cdr;
$out='';
foreach ($cdrIds as $id) $out .= "$id,";
$out = substr($out,0,-1);
$query="select INET_NTOA(sipcallerip),count(*) as incidents from voipmonitor.cdr where id in (".$out.") group by INET_NTOA(sipcallerip) order by incidents desc\G";
$command="mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'";
## END of settings
#call query and get results
exec($command, $arr);
#parse results
$resultip=array();
foreach ($arr as $nth => $line) {
        if (strpos($line,'INET') === FALSE) continue;
        $pos=strpos($line,":");
        $resultip[]=substr($line,$pos+2);
        $resultcnt[]=substr($arr[$nth+1],strpos($arr[$nth+1],":")+2);
}
#print ips and counts if exists and exceeded limit
if (!count($resultip)) exit;
foreach ($resultip as $n => $ip) {
        if ($resultcnt[$n] > $Limit) {
                if ($verbose) echo ("$ip : $resultcnt[$n], results in\n$blockCommand $ip\n\n");
                else exec ($blockCommand." $ip",$ar,$rc);
        }
}
?>


==== Alert Type Realtime Concurrent Calls ====
    if (!isset($IPtriggers[$keyIP])) {
        $IPtriggers[$keyIP] = 1;
    } else {
        $IPtriggers[$keyIP] += 1;
    }
}


'''Example to block IP on concurrent calls alert:'''
// Block all IPs that triggered any rule
foreach ($IPtriggers as $IPKey => $nmGuilt) {
    passthru('iptables -A INPUT -s ' . $IPKey . ' -j DROP', $ret);
    if ($ret != 0) {
        echo "Problem setting firewall!\n";
        exit(1);
    }
}
?>
</syntaxhighlight>


Note: Use "By caller IP" in alert settings to pass attacker IP.
=== See Also ===


#!/usr/bin/php
* [[Alerts|Alerts & Reports]] - General alert configuration
<?php
* [[Capture_rules|Capture Rules]] - Filter traffic before processing
#echo "DECODE PARENT INFO\n";
* [[Sniffer_configuration|Sniffer Configuration]] - <code>sip-register</code> and other options
#print_r(json_decode($argv[2]));
#echo "DECODE RULES INFO\n";
$triggedRules = json_decode($argv[4]);
#number of tresspass of address
$IPtriggers=array();
foreach ( $triggedRules as $rule ) { //for each triggererd rule
        $keyIP = $rule->alert_info->ip; //get 'source ip which triggered rule' will used as key.
        $when = $rule->at; //get 'when this rule triggered?'
# $type = $rule->alert_info->local_international; //get type enum 'was "local" or "international" or "local & international" limits exceeded?'
# if (!isset ( $rule->alert_info->timeperiod_name )) { //get name of time-period rule which was triggered, if name isn't set its main parent rule.
# $name = "Parent rule";
# } else {
# $name = $rule->alert_info->timeperiod_name;
# }
# print "\n\nName: $name\nat : $when\nType: $type";
        if ( !isset ( $IPtriggers[$keyIP] )) {
                $IPtriggers[$keyIP] = 1;
        } else {
                $IPtriggers[$keyIP] += 1;
        }
}
#echo "\n\nShow how many rules theese Adressess triggered?\n";
#print_r ($IPtriggers);
#echo "Block all adresses that trigged any rule.\n";
foreach ( $IPtriggers as $IPKey => $nmGuilt ) {
# echo "Blocking address: $IPKey\n";
        passthru ('iptables -A INPUT -s '.$IPKey.' -j DROP', $ret);
        if ( $ret <> 0 ) {
                echo ("Problem setting firewall!\n");
                exit (1);
        }
}
?>


=== AI Summary for RAG ===
== AI Summary for RAG ==


'''Summary:''' This article details VoIPmonitor's anti-fraud rules for detecting attacks like floods, concurrent calls, and country changes. It covers common configs, specific rule parameters, custom scripts for actions, and examples for RTP and concurrent calls alerts. Important note: realtime alerts do not provide source port in their output, and querying the database for source port is not suitable for real-time blocking due to delays between alert trigger and CDR creation.
'''Summary:''' VoIPmonitor anti-fraud rules for detecting SIP attacks (REGISTER floods, packet floods), concurrent calls abuse, and geographic anomalies. Includes realtime vs CDR-based alert differences, custom script examples for automated IP blocking, and mitigation strategies.


'''Keywords:''' anti-fraud rules, fraud alerts, watchdog, concurrent calls, SIP REGISTER flood, SIP PACKETS flood, country change, custom scripts, international prefixes, time periods, realtime alerts, source port, CDR-based alerts, firewall blocking, SBC, network edge, mitigate REGISTER spam
'''Keywords:''' anti-fraud, REGISTER flood, SIP attack, concurrent calls, country change, custom scripts, iptables, ipset, fail2ban, realtime alerts, CDR-based alerts


'''Key Questions:'''
'''Key Questions:'''
* What anti-fraud rules are available in VoIPmonitor?
* What anti-fraud alerts are available in VoIPmonitor?
* How do common configurations like IP exclude or suppress alerts work?
* How to block SIP REGISTER flood attacks?
* What triggers a SIP REGISTER flood alert?
* What is the difference between realtime and CDR-based alerts?
* How does realtime concurrent calls tracking function?
* How to create custom scripts for automated IP blocking?
* What are examples of custom scripts for alerts?
* Why is source port not available in realtime alerts?
* How to configure international call detection?
* Why is source port not available in realtime alert output?
* What is the difference between realtime alerts and CDR-based alerts?
* How to block SIP REGISTER floods at the network edge?
* What are mitigation strategies for SIP REGISTER spam attacks?
* How to use custom scripts to block attacker IPs?
* How to configure firewall or SBC to prevent SIP REGISTER floods?

Revision as of 18:07, 4 January 2026

Category:GUI manual

Anti-Fraud Rules

Anti-fraud rules are accessed via GUI > Alerts > Anti Fraud. Rules combat fraud and attacks, with ongoing additions. Each rule supports custom scripts for actions like firewall rules, besides email alerts. Alerts are archived in Sent Alerts.

Overview

List of Fraud/Watchdog Alerts

Alert Type Processing Description
Realtime concurrent calls Realtime Monitors concurrent calls per source IP
SIP REGISTER flood/attack Realtime Detects REGISTER flooding
SIP PACKETS flood/attack Realtime Detects generic SIP packet floods
Change CDR country CDR-based IP geolocation changed between calls
Change REGISTER country CDR-based REGISTER source country changed
Country/Continent destination Realtime Calls to specific destinations
Billing Watchdog CDR-based Billing anomaly detection

Alert Processing Differences

VoIPmonitor processes alerts in two different ways:

Realtime alerts
Processed directly by the sniffer as packets arrive. Triggered immediately based on packet inspection but CDRs are not yet available.
  • Realtime concurrent calls
  • SIP REGISTER flood
  • SIP PACKETS flood
CDR-based alerts
Evaluated by the GUI after CDRs have been stored in the database.
  • Change CDR country
  • Change REGISTER country
  • Country/Continent destination
  • RTP alerts
  • SIP Response alerts

Important Limitation: Source Port in Realtime Alerts

Realtime alerts provide the attacker's IP address in the alert_info object, but do not include the SIP source port.

The source port can be queried from cdr.caller_port in the database, but this has critical limitations:

  • Delay: CDRs are written after the realtime alert triggers, adding latency
  • Port may not exist: Flood attacks may be detected before CDR creation

Recommendation:

  • For real-time defense: Block by IP address only
  • For non-real-time blocking: Use CDR-based alerts with database queries

Common Configuration

Options shared across anti-fraud rules:

Option Description
Enable hyperlinks Makes email alert titles clickable links to rule definitions
IP include/exclude Exclude IPs or networks (e.g., 10.0.0.0/8) or use IP groups
Suppress repeating alerts Limit alerts to once per X hours to avoid spamming
Numbers include/exclude Filter source numbers/prefixes
External script Path to custom script for automated actions

International prefixes configuration:

  • International prefixes: Distinguish local/international calls (default: +, 00)
  • Min international length: Numbers shorter than this are treated as local
  • Local numbers are in: Country for classifying international-prefixed calls as local

SIP REGISTER Flood/Attack

Triggers when >= N registration attempts from an IP occur within the set interval.

Mitigation Strategies

When SIP REGISTER floods cause excessive CPU usage or system unresponsiveness:

1. Immediate Blocking via Custom Scripts

Configure a custom script in the SIP REGISTER flood alert rule to automatically block the attacker IP. The alert_info object contains the attacker's IP address.

Block using iptables: 

iptables -A INPUT -s <ATTACKER_IP> -j DROP

Block using ipset (more efficient for multiple IPs): 

ipset add blacklist <ATTACKER_IP>
2. Network Edge Blocking (Recommended)

For long-term protection, block at your network edge:

  • Session Border Controller (SBC): Configure rate limiting and IP blocking
  • Firewall: Block malicious IPs at the perimeter before reaching VoIPmonitor
  • Fail2ban: Automatically block IPs after repeated REGISTER failures
3. Reducing REGISTER Noise
  • Disable REGISTER processing if not needed: sip-register = no in voipmonitor.conf
  • Filter REGISTER packets using firewall rules
  • Use capture rules to exclude known good REGISTER sources

Realtime Concurrent Calls

Tracks source IPs in realtime (not CDR-based) for concurrent calls. Useful against high-channel attacks.

Parameters
  • Concurrent calls limit: Trigger on international, local, or both exceeding limits
  • Time period rules: Vary alerts by work/after hours (defined in Groups > TimePeriods)

Change CDR Country

Triggers when CDR IP source changes country/continent since last call.

Parameters
  • Exclude countries from alert: Whitelist countries to skip

Change REGISTER Country

Triggers when SIP REGISTER username changes country/continent since last successful registration.

Parameters
  • Exclude countries from alert: Whitelist countries to skip

Country/Continent Destination

Triggers on calls to specific country/continent, based on first SIP INVITE (realtime processing).

SIP PACKETS Flood/Attack

Triggers when >= N packets from an IP occur within the set interval.

Custom Script Examples

Custom scripts receive alert data as command-line arguments. Use json_decode($argv[4]) in PHP to parse the alert data.

Logging Passed Arguments

Simple script to log all arguments for debugging: 

#!/bin/bash
echo "$@" >> /tmp/passed_info.txt

RTP Alert: Store Audio Files

Script to automatically download audio for calls that triggered an RTP alert: 

#!/usr/bin/php
<?php
// Configuration
$directory = '/home/alerts/audio';
$date = trim(`date '+%Y-%m-%d'`);
$guiDir = '/var/www/voipmonitor';
$destdir = $directory . '/' . $date;

// Create destination directory
`mkdir -p $destdir`;

// Parse alert data
$alert = json_decode($argv[4]);

// Download audio for each CDR in the alert
foreach ($alert->cdr as $cdr) {
    $params = '{"task":"getVoiceRecording", "user": "admin", "password": "admin", "params": {"cdrId": "' . $cdr . '"}}';
    $command = "php $guiDir/php/api.php > $destdir/file_id_$cdr.pcap";
    exec("echo $params | $command", $arr, $val);
}
?>

RTP Alert: Block IP After Threshold

Script to block IPs that exceed a threshold number of alerts: 

#!/usr/bin/php
<?php
// Configuration
$Limit = 19;
$blockCommand = "ssh root@pbx -p2112 ipset add blacklist";
$verbose = 1;  // 1 = dry-run (print only), 0 = execute blocking

// Parse alert data
$alertsData = json_decode($argv[4]);

// Build list of CDR IDs
$cdrIds = $alertsData->cdr;
$out = '';
foreach ($cdrIds as $id) {
    $out .= "$id,";
}
$out = substr($out, 0, -1);

// Query database for caller IPs and incident counts
$query = "SELECT INET_NTOA(sipcallerip), COUNT(*) as incidents
          FROM voipmonitor.cdr
          WHERE id IN ($out)
          GROUP BY INET_NTOA(sipcallerip)
          ORDER BY incidents DESC\\G";
$command = "mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'";
exec($command, $arr);

// Parse results
$resultip = array();
$resultcnt = array();
foreach ($arr as $nth => $line) {
    if (strpos($line, 'INET') === FALSE) continue;
    $pos = strpos($line, ":");
    $resultip[] = substr($line, $pos + 2);
    $resultcnt[] = substr($arr[$nth + 1], strpos($arr[$nth + 1], ":") + 2);
}

// Block IPs that exceed limit
if (!count($resultip)) exit;
foreach ($resultip as $n => $ip) {
    if ($resultcnt[$n] > $Limit) {
        if ($verbose) {
            echo "$ip : $resultcnt[$n] incidents\n$blockCommand $ip\n\n";
        } else {
            exec($blockCommand . " $ip", $ar, $rc);
        }
    }
}
?>

Concurrent Calls: Block Attacker IP

Script for blocking IPs based on concurrent calls alert. Enable "By caller IP" in alert settings. 

#!/usr/bin/php
<?php
// Parse triggered rules
$triggedRules = json_decode($argv[4]);

// Count triggers per IP address
$IPtriggers = array();
foreach ($triggedRules as $rule) {
    $keyIP = $rule->alert_info->ip;
    $when = $rule->at;

    if (!isset($IPtriggers[$keyIP])) {
        $IPtriggers[$keyIP] = 1;
    } else {
        $IPtriggers[$keyIP] += 1;
    }
}

// Block all IPs that triggered any rule
foreach ($IPtriggers as $IPKey => $nmGuilt) {
    passthru('iptables -A INPUT -s ' . $IPKey . ' -j DROP', $ret);
    if ($ret != 0) {
        echo "Problem setting firewall!\n";
        exit(1);
    }
}
?>

See Also

AI Summary for RAG

Summary: VoIPmonitor anti-fraud rules for detecting SIP attacks (REGISTER floods, packet floods), concurrent calls abuse, and geographic anomalies. Includes realtime vs CDR-based alert differences, custom script examples for automated IP blocking, and mitigation strategies.

Keywords: anti-fraud, REGISTER flood, SIP attack, concurrent calls, country change, custom scripts, iptables, ipset, fail2ban, realtime alerts, CDR-based alerts

Key Questions:

  • What anti-fraud alerts are available in VoIPmonitor?
  • How to block SIP REGISTER flood attacks?
  • What is the difference between realtime and CDR-based alerts?
  • How to create custom scripts for automated IP blocking?
  • Why is source port not available in realtime alerts?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Anti-fraud&oldid=6538"