Anti-fraud

Anti-Fraud Rules

Anti-fraud rules are accessed via main menu Alerts > Anti Fraud. Rules combat fraud and attacks, with ongoing additions. Each rule supports custom scripts for actions like firewall rules, besides email alerts. Alerts are archived in Sent Alerts.

List of Fraud/Watchdog Alerts

• Realtime concurrent calls
• SIP REGISTER flood / attack
• SIP PACKETS flood / attack
• Change CDR country
• Change REGISTER country
• Country/Continent destination
• Billing#Watchdog

Alert Processing Differences

VoIPmonitor processes alerts in two different ways, which affects what data is available and when:

• Realtime alerts (Realtime concurrent calls, SIP REGISTER flood, SIP PACKETS flood): These are processed directly by the sniffer as packets arrive. They are triggered immediately based on packet inspection but do not have Call Detail Records (CDRs) available yet.
• CDR-based alerts (Change CDR country, Change REGISTER country, Country/Continent destination, RTP alerts, SIP Response alerts): These are evaluated by the GUI after CDRs have been stored in the database.

Important Limitation: Source Port Not Available in Realtime Alerts

Realtime alerts (concurrent calls, REGISTER flood, PACKETS flood) provide the attacker's IP address in the alert_info object, but do **not** include the SIP source port. The source port can be queried from the database from the caller_port field in the cdr table, but this approach has critical limitations:

• Not suitable for real-time blocking: There is a delay between when the realtime alert triggers and when the CDR (with caller_port) is written to the database. For real-time fraud blocking scenarios, querying the database adds latency that defeats the purpose of immediate blocking.
• Port may not exist yet: Some realtime attacks (like SIP flood attacks) are detected and blocked before a complete call CDR is created, so the source port may never be available in the database for those specific packets.

For scenarios where you need to block by IP+source port to avoid affecting legitimate traffic from the same IP, the recommended approach is to use CDR-based alerts (RTP alerts, SIP Response alerts) which include the CDR ID and allow database queries. However, this should only be used for non-real-time blocking scenarios due to the inherent delay. For true real-time defense, you must block by IP address only and accept that legitimate traffic from that IP may be temporarily affected.

Common Configuration

Shared across some rules:

• Enable hyperlinks: Makes email alert titles clickable links to rule definitions.
• IP include/exclude: Exclude IPs or networks (e.g., 10.0.0.0/8) or use IP groups.
• Suppress repeating alerts: Limit alerts to once per X hours to avoid spamming.
• Numbers include/exclude: Filter source numbers/prefixes (e.g., general rule for >10 concurrent calls, excluding specific customers).
• External script: Path to server script for execution.
• International prefixes configuration:

 ** International prefixes: Distinguish local/international calls (default: +, 00).
 ** Min international length: Numbers shorter than this are treated as local.
 ** Local numbers are in: Select country for classifying international-prefixed calls as local.

SIP REGISTER Flood/Attack

Triggers when >= N registration attempts from an IP occur in set interval.

Mitigation Strategies

When SIP REGISTER floods cause excessive CPU usage or system unresponsiveness, implement these mitigation strategies:

1. Immediate Blocking via Custom Scripts (VoIPmonitor)

Configure a custom script in the SIP REGISTER flood alert rule to automatically block the attacker IP. The alert_info object contains the attacker's IP address for use in your script.

• Example: Block using iptables

 See examples below for PHP script that executes iptables -A INPUT -s <IP> -j DROP

• Example: Block using ipset

 Use ipset add blacklist <IP> for efficient blocking of multiple IPs

2. Network Edge Blocking (Recommended for Prevention)

For long-term protection and better performance, block SIP REGISTER spam at your network edge:

• Session Border Controller (SBC): Configure rate limiting and IP blocking on your SBE
• 'Firewall Rules: Block known malicious IPs at the perimeter firewall before traffic reaches VoIPmonitor
• Fail2ban: Use fail2ban with custom filters to automatically block IPs after repeated REGISTER failures

3. Reducing REGISTER Noise

To prevent REGISTER floods from overwhelming VoIPmonitor:

• Disable REGISTER processing if not needed: Set sip-register = no in voipmonitor.conf
• Filter REGISTER packets using firewall rules (block specific countries or networks)
• Use capture rules to exclude known good REGISTER sources from being processed

Realtime Concurrent Calls

Tracks source IPs in realtime (not CDR-based) for concurrent calls, aiding against high-channel attacks. Parameters:

• Concurrent calls limit: Trigger on international, local, or both exceeding limits.
• Time period rules: Vary alerts by work/after hours (defined in Groups > TimePeriods).

Change CDR Country

Triggers on CDR IP source changing country/continent since last call. Parameters:

• Exclude countries from alert: Whitelist countries to skip.

Change REGISTER Country

Triggers on SIP REGISTER username changing country/continent since last success. Parameters:

• Exclude countries from alert: Whitelist countries to skip.

Country/Continent Destination

Triggers on calls to specific country/continent, based on first SIP INVITE (realtime).

SIP PACKETS Flood/Attack

Triggers when >= N packets from an IP occur in set interval.

Examples of Custom Scripts

Getting Passed Arguments

Example script to log passed info:

#!/bin/bash
echo $@ >> /tmp/passed_info.txt

Use PHP json_decode($argv[4]) on 4th argument for data.

Alert Type RTP

Example to store audio on RTP alert:

#!/usr/bin/php
<?php
#var_dump($argv);
$directory='/home/alerts/audio'; #where to store audio from alerts that triggered?
$date=trim(`date '+%Y-%m-%d'`); #It will be stored to subdir date in this format YYYY-MM-DD
$guiDir='/var/www/voipmonitor'; #where is GUI installed
$destdir=$directory.'/'.$date;
`mkdir -p $destdir`;
$alert= json_decode($argv[4]);
foreach ($alert->cdr as $cdr) {
       $params = '{\"task\":\"getVoiceRecording\", \"user\": \"admin\", \"password\": \"admin\", \"params\": {\"cdrId\": "'.$cdr.'"}}';
       $command = "php $guiDir/php/api.php > $destdir/file_id_$cdr.pcap";
       exec( "echo $params | $command", $arr, $val);
}
?>

Example to block IP on remote host if > limit CDRs per caller IP:

#!/usr/bin/php
<?php
## Settings
$Limit = 19;
$blockCommand = "ssh root@pbx -p2112 ipset add blacklist";
$verbose = 1; #1 set: script will do nothing just print results, 0 set: script will do the command and print nothing to stdout
$alertsData=(json_decode($argv[4]));
#prepare string of CDRsIDs for query command
$cdrIds=$alertsData->cdr;
$out=;
foreach ($cdrIds as $id) $out .= "$id,";
$out = substr($out,0,-1);
$query="select INET_NTOA(sipcallerip),count(*) as incidents from voipmonitor.cdr where id in (".$out.") group by INET_NTOA(sipcallerip) order by incidents desc\G";
$command="mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'";
## END of settings
#call query and get results
exec($command, $arr);
#parse results
$resultip=array();
foreach ($arr as $nth => $line) {
        if (strpos($line,'INET') === FALSE) continue;
        $pos=strpos($line,":");
        $resultip[]=substr($line,$pos+2);
        $resultcnt[]=substr($arr[$nth+1],strpos($arr[$nth+1],":")+2);
}
#print ips and counts if exists and exceeded limit
if (!count($resultip)) exit;
foreach ($resultip as $n => $ip) {
        if ($resultcnt[$n] > $Limit) {
                if ($verbose) echo ("$ip : $resultcnt[$n], results in\n$blockCommand $ip\n\n");
                else exec ($blockCommand." $ip",$ar,$rc);
        }
}
?>

Alert Type Realtime Concurrent Calls

Example to block IP on concurrent calls alert:

Note: Use "By caller IP" in alert settings to pass attacker IP.

#!/usr/bin/php
<?php
#echo "DECODE PARENT INFO\n";
#print_r(json_decode($argv[2]));
#echo "DECODE RULES INFO\n";
$triggedRules = json_decode($argv[4]);
#number of tresspass of address
$IPtriggers=array();
foreach ( $triggedRules as $rule ) { //for each triggererd rule
        $keyIP = $rule->alert_info->ip; //get 'source ip which triggered rule' will used as key.
        $when = $rule->at; //get 'when this rule triggered?'
# $type = $rule->alert_info->local_international; //get type enum 'was "local" or "international" or "local & international" limits exceeded?'
# if (!isset ( $rule->alert_info->timeperiod_name )) { //get name of time-period rule which was triggered, if name isn't set its main parent rule.
# $name = "Parent rule";
# } else {
# $name = $rule->alert_info->timeperiod_name;
# }
# print "\n\nName: $name\nat : $when\nType: $type";
        if ( !isset ( $IPtriggers[$keyIP] )) {
                $IPtriggers[$keyIP] = 1;
        } else {
                $IPtriggers[$keyIP] += 1;
        }
}
#echo "\n\nShow how many rules theese Adressess triggered?\n";
#print_r ($IPtriggers);
#echo "Block all adresses that trigged any rule.\n";
foreach ( $IPtriggers as $IPKey => $nmGuilt ) {
# echo "Blocking address: $IPKey\n";
        passthru ('iptables -A INPUT -s '.$IPKey.' -j DROP', $ret);
        if ( $ret <> 0 ) {
                echo ("Problem setting firewall!\n");
                exit (1);
        }
}
?>

AI Summary for RAG

Summary: This article details VoIPmonitor's anti-fraud rules for detecting attacks like floods, concurrent calls, and country changes. It covers common configs, specific rule parameters, custom scripts for actions, and examples for RTP and concurrent calls alerts. Important note: realtime alerts do not provide source port in their output, and querying the database for source port is not suitable for real-time blocking due to delays between alert trigger and CDR creation.

Keywords: anti-fraud rules, fraud alerts, watchdog, concurrent calls, SIP REGISTER flood, SIP PACKETS flood, country change, custom scripts, international prefixes, time periods, realtime alerts, source port, CDR-based alerts, firewall blocking, SBC, network edge, mitigate REGISTER spam

Key Questions:

• What anti-fraud rules are available in VoIPmonitor?
• How do common configurations like IP exclude or suppress alerts work?
• What triggers a SIP REGISTER flood alert?
• How does realtime concurrent calls tracking function?
• What are examples of custom scripts for alerts?
• How to configure international call detection?
• Why is source port not available in realtime alert output?
• What is the difference between realtime alerts and CDR-based alerts?
• How to block SIP REGISTER floods at the network edge?
• What are mitigation strategies for SIP REGISTER spam attacks?
• How to use custom scripts to block attacker IPs?
• How to configure firewall or SBC to prevent SIP REGISTER floods?