Anti-fraud

Category:GUI manual

Anti-Fraud Rules

Anti-fraud rules are accessed via GUI > Alerts > Anti Fraud. Rules combat fraud and attacks, with ongoing additions. Each rule supports custom scripts for actions like firewall rules, besides email alerts. Alerts are archived in Sent Alerts.

Overview

List of Fraud/Watchdog Alerts

Alert Processing Differences

VoIPmonitor processes alerts in two different ways:

Realtime alerts

Processed directly by the sniffer as packets arrive. Triggered immediately based on packet inspection but CDRs are not yet available.

• Realtime concurrent calls
• SIP REGISTER flood
• SIP PACKETS flood

CDR-based alerts

Evaluated by the GUI after CDRs have been stored in the database.

• Change CDR country
• Change REGISTER country
• Country/Continent destination
• RTP alerts
• SIP Response alerts

Important Limitation: Source Port in Realtime Alerts

Realtime alerts provide the attacker's IP address in the alert_info object, but do not include the SIP source port.

The source port can be queried from cdr.caller_port in the database, but this has critical limitations:

• Delay: CDRs are written after the realtime alert triggers, adding latency
• Port may not exist: Flood attacks may be detected before CDR creation

Recommendation:

• For real-time defense: Block by IP address only
• For non-real-time blocking: Use CDR-based alerts with database queries

Common Configuration

Options shared across anti-fraud rules:

International prefixes configuration:

• International prefixes: Distinguish local/international calls (default: +, 00)
• Min international length: Numbers shorter than this are treated as local
• Local numbers are in: Country for classifying international-prefixed calls as local

SIP REGISTER Flood/Attack

Triggers when >= N registration attempts from an IP occur within the set interval.

Mitigation Strategies

When SIP REGISTER floods cause excessive CPU usage or system unresponsiveness:

1. Immediate Blocking via Custom Scripts

Configure a custom script in the SIP REGISTER flood alert rule to automatically block the attacker IP. The alert_info object contains the attacker's IP address.

Block using iptables:

iptables -A INPUT -s <ATTACKER_IP> -j DROP

Block using ipset (more efficient for multiple IPs):

ipset add blacklist <ATTACKER_IP>

2. Network Edge Blocking (Recommended)

For long-term protection, block at your network edge:

• Session Border Controller (SBC): Configure rate limiting and IP blocking
• Firewall: Block malicious IPs at the perimeter before reaching VoIPmonitor
• Fail2ban: Automatically block IPs after repeated REGISTER failures

3. Reducing REGISTER Noise

• Disable REGISTER processing if not needed: sip-register = no in voipmonitor.conf
• Filter REGISTER packets using firewall rules
• Use capture rules to exclude known good REGISTER sources

Realtime Concurrent Calls

Tracks source IPs in realtime (not CDR-based) for concurrent calls. Useful against high-channel attacks.

Parameters

• Concurrent calls limit: Trigger on international, local, or both exceeding limits
• Time period rules: Vary alerts by work/after hours (defined in Groups > TimePeriods)

Change CDR Country

Triggers when CDR IP source changes country/continent since last call.

Parameters

• Exclude countries from alert: Whitelist countries to skip

Change REGISTER Country

Triggers when SIP REGISTER username changes country/continent since last successful registration.

Parameters

• Exclude countries from alert: Whitelist countries to skip

Country/Continent Destination

Triggers on calls to specific country/continent, based on first SIP INVITE (realtime processing).

SIP PACKETS Flood/Attack

Triggers when >= N packets from an IP occur within the set interval.

Custom Script Examples

Custom scripts receive alert data as command-line arguments. Use json_decode($argv[4]) in PHP to parse the alert data.

Logging Passed Arguments

Simple script to log all arguments for debugging:

#!/bin/bash
echo "$@" >> /tmp/passed_info.txt

RTP Alert: Store Audio Files

Script to automatically download audio for calls that triggered an RTP alert:

#!/usr/bin/php
<?php
// Configuration
$directory = '/home/alerts/audio';
$date = trim(`date '+%Y-%m-%d'`);
$guiDir = '/var/www/voipmonitor';
$destdir = $directory . '/' . $date;

// Create destination directory
`mkdir -p $destdir`;

// Parse alert data
$alert = json_decode($argv[4]);

// Download audio for each CDR in the alert
foreach ($alert->cdr as $cdr) {
    $params = '{"task":"getVoiceRecording", "user": "admin", "password": "admin", "params": {"cdrId": "' . $cdr . '"}}';
    $command = "php $guiDir/php/api.php > $destdir/file_id_$cdr.pcap";
    exec("echo $params | $command", $arr, $val);
}
?>

RTP Alert: Block IP After Threshold

Script to block IPs that exceed a threshold number of alerts:

#!/usr/bin/php
<?php
// Configuration
$Limit = 19;
$blockCommand = "ssh root@pbx -p2112 ipset add blacklist";
$verbose = 1;  // 1 = dry-run (print only), 0 = execute blocking

// Parse alert data
$alertsData = json_decode($argv[4]);

// Build list of CDR IDs
$cdrIds = $alertsData->cdr;
$out = '';
foreach ($cdrIds as $id) {
    $out .= "$id,";
}
$out = substr($out, 0, -1);

// Query database for caller IPs and incident counts
$query = "SELECT INET_NTOA(sipcallerip), COUNT(*) as incidents
          FROM voipmonitor.cdr
          WHERE id IN ($out)
          GROUP BY INET_NTOA(sipcallerip)
          ORDER BY incidents DESC\\G";
$command = "mysql -h MYSQLHOST -u MYSQLUSER -pMYSQLPASS -e '$query'";
exec($command, $arr);

// Parse results
$resultip = array();
$resultcnt = array();
foreach ($arr as $nth => $line) {
    if (strpos($line, 'INET') === FALSE) continue;
    $pos = strpos($line, ":");
    $resultip[] = substr($line, $pos + 2);
    $resultcnt[] = substr($arr[$nth + 1], strpos($arr[$nth + 1], ":") + 2);
}

// Block IPs that exceed limit
if (!count($resultip)) exit;
foreach ($resultip as $n => $ip) {
    if ($resultcnt[$n] > $Limit) {
        if ($verbose) {
            echo "$ip : $resultcnt[$n] incidents\n$blockCommand $ip\n\n";
        } else {
            exec($blockCommand . " $ip", $ar, $rc);
        }
    }
}
?>

Concurrent Calls: Block Attacker IP

Script for blocking IPs based on concurrent calls alert. Enable "By caller IP" in alert settings.

#!/usr/bin/php
<?php
// Parse triggered rules
$triggedRules = json_decode($argv[4]);

// Count triggers per IP address
$IPtriggers = array();
foreach ($triggedRules as $rule) {
    $keyIP = $rule->alert_info->ip;
    $when = $rule->at;

    if (!isset($IPtriggers[$keyIP])) {
        $IPtriggers[$keyIP] = 1;
    } else {
        $IPtriggers[$keyIP] += 1;
    }
}

// Block all IPs that triggered any rule
foreach ($IPtriggers as $IPKey => $nmGuilt) {
    passthru('iptables -A INPUT -s ' . $IPKey . ' -j DROP', $ret);
    if ($ret != 0) {
        echo "Problem setting firewall!\n";
        exit(1);
    }
}
?>

See Also

• Alerts & Reports - General alert configuration
• Capture Rules - Filter traffic before processing
• Sniffer Configuration - sip-register and other options

AI Summary for RAG

Summary: VoIPmonitor anti-fraud rules for detecting SIP attacks (REGISTER floods, packet floods), concurrent calls abuse, and geographic anomalies. Includes realtime vs CDR-based alert differences, custom script examples for automated IP blocking, and mitigation strategies.

Keywords: anti-fraud, REGISTER flood, SIP attack, concurrent calls, country change, custom scripts, iptables, ipset, fail2ban, realtime alerts, CDR-based alerts

Key Questions:

• What anti-fraud alerts are available in VoIPmonitor?
• How to block SIP REGISTER flood attacks?
• What is the difference between realtime and CDR-based alerts?
• How to create custom scripts for automated IP blocking?
• Why is source port not available in realtime alerts?