Break-in resistance settings to mitigate rogue calls

Common attacks on videoconferencing systems include rogue calls — such as Spam Over Internet Telephony (SPIT) or toll fraud call attempts — that are targeted at an organization’s SIP (or, more rarely, H.323) infrastructure. Typically the attacker will place a large volume of calls to numeric aliases (usually using SIP UDP) to try and gain access to a VoIP to PSTN gateway — and, if successful, use the gateway to commit toll fraud.

To mitigate such attacks, the Pexip Infinity platform enables PIN brute force resistance and VOIP scanner resistance by default. If required you can disable these settings either at a global platform level, or enable/disable protection for specific locations. You can also specify an allowed set of trusted IP addresses that are exempt from the break-in checks.

These break-in resistance settings form part of a broader strategy for protecting your system; for more information see Security best practices.

This topic covers:

Note that any blocks that are applied to a VMR or IP address take immediate effect across the entire Pexip Infinity platform. However, changes to the allow list of IP addresses are subject to the standard replication delay across all Conferencing Nodes.

Alerting the administrator to break-in attempts

When break-in resistance protection has been triggered, an alarm is raised on the Management Node, providing information such as the source IP address of the attack and the associated Conferencing Node. The alarm remains active for the duration of the temporary block, after which time it is lowered automatically. To monitor whether break-in resistance has been triggered in the past, you can review the alarm history, or you can review the administrator log by searching for the relevant break-in policy prevention messages.

PIN brute force resistance

When PIN brute force resistance is enabled, Pexip Infinity will temporarily block all access to a VMR that receives a significant number of incorrect PIN entry attempts (and thus may perhaps be under attack from a malicious actor). It blocks all new access attempts to a VMR for up to 10 minutes if more than 20 incorrect PIN entry attempts are made against that VMR in a 10 minute window (you can configure the number of allowed incorrect attempts, but you cannot change the time window). While blocked, it appears to any callers as though the VMR/alias does not exist any longer. There is also a corresponding alarm raised on the Management Node.

Note that this provides a measure of resistance against PIN cracking attacks, but it is not a substitute for having a long PIN (6 digits or longer recommended) and it does not protect against a determined and patient — or lucky — attacker. Also, enabling this feature could potentially allow a malicious attacker or a legitimate user with incorrect access details to prevent legitimate access to VMRs or other call services for a period.

To configure PIN brute force resistance at the platform level:

  1. Go to Platform > Global settings.
  2. Go to the Break-in resistance section and enable or disable PIN brute force resistance as appropriate.

    PIN brute force resistance is enabled by default.

  3. Set the Maximum PIN failures allowed before the VMR is blocked (the default is 20).

    If you have a lot of meetings with many participants, and with long, complex PINs, you may want to increase the maximum PIN failures limit to tolerate many users mistyping the PIN — however this comes at the expense of reducing resistance to real PIN brute-force attempts.

You can override this setting on a per location basis. To do this:

  1. Go to Platform > Locations and select the required location.
  2. Configure Enable PIN brute force resistance in this location as appropriate. The options are:

    • Use Global PIN brute force resistance setting: as per the global configuration setting.
    • No: PIN brute force resistance is disabled for nodes in this location.
    • Yes: PIN brute force resistance is enabled for nodes in this location.

    When some locations have protection enabled, and other locations do not, the PIN brute force resistance setting is applied according to the location of the node that receives the call signaling.

    Default: Use Global PIN brute force resistance setting.

VOIP scanner resistance

When VOIP scanner resistance is enabled, Pexip Infinity will temporarily block service access attempts from any unknown source IP address that dials a significant number of incorrect aliases in a short period (and thus may perhaps be attempting to scan your deployment to discover valid aliases to allow the attacker to make improper use of VMRs or gateway rules — such as toll fraud attempts). It blocks all new call service access attempts from an IP address if more than 20 incorrect aliases are dialed from that IP address over SIP, H.323 or WebRTC (Infinity Connect) in a 10 minute window (you can configure the number of allowed incorrect attempts, but you cannot change the time window). There is also a corresponding alarm raised on the Management Node.

Note that this provides a measure of resistance against scanners such as sipvicious which are sometimes used during toll-fraud attempts, but it does not defend against a determined and patient — or lucky — attacker. Also, enabling this feature could potentially allow a malicious attacker or a legitimate user with incorrect access details to prevent legitimate access to VMRs or other call services for a period, if for example, those users are behind the same firewall as other legitimate users.

To configure VOIP scanner resistance at the platform level:

  1. Go to Platform > Global settings.
  2. Go to the Break-in resistance section and enable or disable VOIP scanner resistance as appropriate.

    VOIP scanner resistance is enabled by default.

  3. Set the Maximum scanner attempts i.e. the number of incorrect dial attempts, before the source IP address is blocked (the default is 20).

You can override this setting on a per location basis. To do this:

  1. Go to Platform > Locations and select the required location.
  2. Configure Enable VOIP scanner resistance in this location as appropriate. The options are:

    • Use Global VOIP scanner resistance setting: as per the global configuration setting.
    • No: VOIP scanner resistance is disabled for nodes in this location.
    • Yes: VOIP scanner resistance is enabled for nodes in this location.

    When some locations have protection enabled, and other locations do not, the VOIP scanner resistance setting is applied according to the location of the node that receives the call signaling.

    Default: Use Global VOIP scanner resistance setting.

Configuring the allow list of IP addresses

You can configure a set of IP addresses that are excluded from the break-in resistance checks. An address can be safelisted for scan attempts and/or incorrect PINs.

  • Typically you may want to specify any addresses on a trusted network, where you do not want to penalize genuine mistakes from trusted users.
  • You may want to add the address of your reverse proxy (which may itself also employ fail2ban to protect your network at the perimeter) to ignore scan attempts and to ignore incorrect PINs.
  • When allowing the address of an upstream SIP or H.323 call control/SBC system, you may want to consider disabling Ignore incorrect PINs (i.e. so that Pexip Infinity still performs break-in checks for incorrect PINs from this address) as the call control system cannot police or rate limit incorrect PIN attempts from attackers attempting to brute force a PIN. However, if the call control system has its own VOIP scan resistance behavior — and you trust it — you can enable Ignore selected scan attempts.
  • For performance reasons, we recommend that you don't add more than a few thousand entries to the allow list table.

To define the allowed addresses:

  1. Go to Call control > Break-In attempt allow list.
  2. Select Add Allow list address.
  3. Configure the allowed address:

    Name The name of this allow list entry.
    Description A description of the allow list entry.
    Network address The IPv4 or IPv6 address for this allow list IP address range.
    Network prefix The prefix length to use in conjunction with the network address. For example, use a Network address of 10.0.0.0 and a Network prefix of 8 to specify all addresses in the range 10.0.0.0 to 10.255.255.255. You must specify a prefix.
    Ignore selected scan attempts

    Select this option to allow unlimited scan attempts (incorrect aliases dialled) that are received from addresses in this range. This should only be enabled in trusted environments.

    Default: not selected.

    Ignore incorrect PINs

    Select this option to allow unlimited incorrect PIN attempts that are received from addresses in this range. This should only be enabled in trusted environments.

    Default: not selected.

    Entry type

    The type of address. This determines whether Pexip Infinity trusts or ignores any security headers (such as X-Forwarded-For headers) from that source. The options are:

    • Proxy: use this for a trusted reverse proxy IP address (or address range). Pexip Infinity trusts security headers from that source to truthfully reflect the IP address of callers/attackers.
    • User: use this for an end-user IP address range. Pexip Infinity ignores any security headers.

    Default: User

  4. Select Save.
  5. If required, you can repeat this process to add more addresses.

Break-in prevention policy example log messages

The following examples show messages that may be logged in the administrator.conference module of the administrator log (History & Logs > Administrator log) by the break-in prevention policies.

Logged when PIN brute force resistance has temporarily disabled a service, and for all subsequent attempts while the service is blocked:

Message="Break-in prevention policy blocking all attempts to join this service." ConferenceAlias="alice" Service="Alice's VMR" Participant="Crooky McCrookface" Protocol="API" Direction="in" Remote-address="10.44.21.35" Reason="Service appears to be under PIN break-in attack" remaining_block_duration_seconds="525"

Logged when VOIP scanner resistance has temporarily blocked an address:

Message="Participant has been quarantined by Break-in prevention policy due to excessive failed join attempts." Participant="Crooky McCrookface" Protocol="API" Direction="in" Remote-address="10.44.21.35" Reason="Too many attempts to join non-existent aliases" remaining_block_duration_seconds="488"

and then any subsequent attempts generate messages such as:

Message="Break-in prevention policy rejecting call attempt from quarantined caller." Protocol="API" Direction="in" Local-alias="[u'alice']" Remote-address="10.47.250.169" Reason="Suspicious join attempt rejected" remaining_block_duration_seconds="519"