Break-in resistance settings to mitigate rogue calls

Common attacks on videoconferencing systems include rogue calls — such as Spam Over Internet Telephony (SPIT) or toll fraud call attempts — that are targeted at an organization’s SIP (or, more rarely, H.323) infrastructure. Typically the attacker will place a large volume of calls to numeric aliases (usually using SIP UDP) to try and gain access to a VoIP to PSTN gateway — and, if successful, use the gateway to commit toll fraud.

To mitigate such attacks, the Pexip Infinity platform enables PIN brute force resistance and VOIP scanner resistance by default. If required you can disable these settings either at a global platform level, or enable/disable protection for specific locations.

These break-in resistance settings form part of a broader strategy for protecting your system; for more information see Security best practices.

Alerting

When break-in resistance protection has been triggered, an alarm will be raised on the Management Node, providing information such as the source IP address of the attack and the associated Conferencing Node. The alarm will remain active for the duration of the temporary block, after which time it will be lowered automatically. To monitor whether break-in resistance has been triggered in the past, you can review the alarm history, or you can review the administrator log by searching for the relevant break-in policy prevention messages.

PIN brute force resistance

When PIN brute force resistance is enabled, Pexip Infinity will temporarily block all access to a VMR that receives a significant number of incorrect PIN entry attempts (and thus may perhaps be under attack from a malicious actor). This will block all new access attempts to a VMR for up to 10 minutes if more than 20 incorrect PIN entry attempts are made against that VMR in a 10 minute window (these parameters are not configurable). While blocked, it will appear to any callers as though the VMR/alias does not exist any longer. There will also be a corresponding alarm raised on the Management Node.

Note that this provides a measure of resistance against PIN cracking attacks, but it is not a substitute for having a long PIN (6 digits or longer recommended) and it will not protect against a determined and patient — or lucky — attacker. Also, enabling this feature could potentially allow a malicious attacker or a legitimate user with incorrect access details to prevent legitimate access to VMRs or other call services for a period.

To configure PIN brute force resistance at the platform level:

  1. Go to Platform > Global settings.
  2. Go to the Break-in resistance section and enable or disable PIN brute force resistance as appropriate.

    PIN brute force resistance is enabled by default.

You can override this setting on a per location basis. To do this:

  1. Go to Platform > Locations and select the required location.
  2. Configure Enable PIN brute force resistance in this location as appropriate. The options are:

    • Use Global PIN brute force resistance setting: as per the global configuration setting.
    • No: PIN brute force resistance is disabled for nodes in this location.
    • Yes: PIN brute force resistance is enabled for nodes in this location.

    When some locations have protection enabled, and other locations do not, the PIN brute force resistance setting is applied according to the location of the node that receives the call signaling.

    Default: Use Global PIN brute force resistance setting.

VOIP scanner resistance

When VOIP scanner resistance is enabled, Pexip Infinity will temporarily block service access attempts from any source IP address that dials a significant number of incorrect aliases in a short period (and thus may perhaps be attempting to scan your deployment to discover valid aliases to allow the attacker to make improper use of VMRs or gateway rules — such as toll fraud attempts). This will block all new call service access attempts from an IP address if more than 20 incorrect aliases are dialed from that IP address over SIP, H.323 or WebRTC (Infinity Connect) in a 10 minute window (these parameters are not configurable). There will also be a corresponding alarm raised on the Management Node.

Note that this provides a measure of resistance against scanners such as sipvicious which are sometimes used during toll-fraud attempts, but it will not defend against a determined and patient — or lucky — attacker. Also, enabling this feature could potentially allow a malicious attacker or a legitimate user with incorrect access details to prevent legitimate access to VMRs or other call services for a period, if for example, those users are behind the same firewall as other legitimate users.

To configure VOIP scanner resistance at the platform level:

  1. Go to Platform > Global settings.
  2. Go to the Break-in resistance section and enable or disable VOIP scanner resistance as appropriate.

    VOIP scanner resistance is enabled by default.

You can override this setting on a per location basis. To do this:

  1. Go to Platform > Locations and select the required location.
  2. Configure Enable VOIP scanner resistance in this location as appropriate. The options are:

    • Use Global VOIP scanner resistance setting: as per the global configuration setting.
    • No: VOIP scanner resistance is disabled for nodes in this location.
    • Yes: VOIP scanner resistance is enabled for nodes in this location.

    When some locations have protection enabled, and other locations do not, the VOIP scanner resistance setting is applied according to the location of the node that receives the call signaling.

    Default: Use Global VOIP scanner resistance setting.

Break-in prevention policy example log messages

The following examples show messages that may be logged in the administrator.conference module of the administrator log (History & Logs > Administrator log) by the break-in prevention policies.

Logged when PIN brute force resistance has temporarily disabled a service, and for all subsequent attempts while the service is blocked:

Message="Break-in prevention policy blocking all attempts to join this service." ConferenceAlias="alice" Service="Alice's VMR" Participant="Crooky McCrookface" Protocol="API" Direction="in" Remote-address="10.44.21.35" Reason="Service appears to be under PIN break-in attack" remaining_block_duration_seconds="525"

Logged when VOIP scanner resistance has temporarily blocked an address:

Message="Participant has been quarantined by Break-in prevention policy due to excessive failed join attempts." Participant="Crooky McCrookface" Protocol="API" Direction="in" Remote-address="10.44.21.35" Reason="Too many attempts to join non-existent aliases" remaining_block_duration_seconds="488"

and then any subsequent attempts generate messages such as:

Message="Break-in prevention policy rejecting call attempt from quarantined caller." Protocol="API" Direction="in" Local-alias="[u'alice']" Remote-address="10.47.250.169" Reason="Suspicious join attempt rejected" remaining_block_duration_seconds="519"