Call centric is reporting they are experiencing a DDOS style attack using the SIP protocol. My registrations are just timing out. There twitter is being updated: https://twitter.com/Callcentric They are also posting updates to customers when the log in. According to the first post regarding this issue on their twitter this is going on hour 17 or so. My logs for asterisk are just filling with registration time outs. Here is the latest update when I log into my account: *Investigation into current problems:* For the past two days we have been experiencing a sophisticated type of attack. As soon we noticed the first attempt we commenced an immediate physical upgrade to all of our servers increasing capacity and CPU power by a factor of four in addition to other precautions. Unfortunately even though this is similar to a "typical" DDoS attack it is targeted specifically at the SIP protocol and causes server load to increase to 100% within 1 minute of initiation. As such, standard and extraordinary prevention measures were unable to prevent it. We do not know the specific methodology of the attack but are aware that it is *similar* in effect to a DNS TRASH flood attack. We are performing forensic analysis on the data we have and are capturing traffic to find an exact reason and solution. We would like to clarify that there was no intrusion into our network and all of our servers switches and internet connections have been functioning *normally* throughout the entirety of this concern. None of our equipment or interlinks were disconnected or went down. Additionally please note that all of your information is encrypted, safe and secure; and that NO customer data was stolen NOR destroyed. We have experienced attempted *unsuccessful* attacks in the past and have made changes in real-time to stop them as well as to prevent future similar attacks. Many of our security documentation guidelines and features have been geared towards these changes. Unfortunately this is an entirely new type of attack, the mechanics of which are still coming to light. We sincerely apologize for the inconvenience this has caused. We are committed to further protecting our network and for this reason we will continue working with our engineers to implement a proper solution to provide a comprehensive resolution. If you have any questions/concerns regarding this message or if you need assistance in updating your configuration our Support Staff are available to answer your questions in as timely a manner as possible. Upon achieving a resolution, we will be providing as detailed an explanation as possible regarding this issue as well as the resolution. Again, we sincerely apologize for any inconvenience that you have experienced as a result of this matter and we appreciate your understanding during this process.
On 10/05/2012 02:38 PM, Mitch wrote:
Call centric is reporting they are experiencing a DDOS style attack using the SIP protocol. My registrations are just timing out.
There twitter is being updated: https://twitter.com/Callcentric They are also posting updates to customers when the log in. According to the first post regarding this issue on their twitter this is going on hour 17 or so. My logs for asterisk are just filling with registration time outs.
They say in a later tweet that they posted "instructions" to customers regarding changes to make. Have you seen anything like this on your dashboard?
Closest thing to instructions is what I pasted On Oct 5, 2012 4:30 PM, "Micah Brandon" <brandon@netsville.com> wrote:
On 10/05/2012 02:38 PM, Mitch wrote:
Call centric is reporting they are experiencing a DDOS style attack using the SIP protocol. My registrations are just timing out.
There twitter is being updated: https://twitter.com/Callcentric They are also posting updates to customers when the log in. According to the first post regarding this issue on their twitter this is going on hour 17 or so. My logs for asterisk are just filling with registration time outs.
They say in a later tweet that they posted "instructions" to customers regarding changes to make. Have you seen anything like this on your dashboard? _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Ok, well new update while I was gone, not sure when they posted it: *Investigation into current problems:* Hello, For the past two days we have been experiencing a sophisticated type of attack. As soon we noticed the first attempt we commenced an immediate physical upgrade to all of our servers increasing capacity and CPU power by a factor of four in addition to other precautions. Unfortunately even though this is similar to a "typical" DDoS attack it is targeted specifically at the SIP protocol and causes server load to increase to 100% within 1 minute of initiation. As such, standard and extraordinary prevention measures were unable to prevent it. We do not know the specific methodology of the attack but are aware that it is *similar* in effect to a DNS TRASH flood attack. We are performing forensic analysis on the data we have and are capturing traffic to find an exact reason and solution. We would like to clarify that there was no intrusion into our network and all of our servers switches and internet connections have been functioning *normally* throughout the entirety of this concern. None of our equipment or interlinks were disconnected or went down. Additionally please note that all of your information is encrypted, safe and secure; and that NO customer data was stolen NOR destroyed. We have been working as aggressively as possible throughout the day/night and we have found a short term work-around which will provide immediate relief and allow calls to function normally. This will require updating your configuration slightly. Please re-configure your software/hardware with the following information: *UPDATED* Your registrar and Domain should remain as is: callcentric.com Outbound proxy: sip.callcentric.com - For clients *ONLY* able to use A records srv.callcentric.com - For clients able to use DNS SRV bypass.callcentric.com - For clients able to use DNS SRV *UPDATED* Asterisk users need the following: host = sip.callcentric.com OR srv.callcentric.com outboundproxy = sip.callcentric.com OR srv.callcentric register => 1777MYCCID:SUPERSECRET@sip.callcentric.com OR 1777MYCCID:SUPERSECRET@srv.callcentric.com *UPDATED* 3CX users need the following: Outbound proxy hostname or IP: sip.callcentric.com Outbound proxy port (default is 5060): 5060 *UPDATED* PAP2/Linksys/Cisco users should be logged into their device in admin/advanced mode and use the following settings: Proxy - Enter callcentric.com in this field Outbound Proxy - Enter srv.callcentric.com in this field Use Outbound Proxy - yes Use DNS SRV - yes DNS SRV Auto Prefix - yes *UPDATED* Obihai users please make sure the following is configured: Service Providers > ITSP Profile > SIP ProxyServer: callcentric.com RegistrarServer: srv.callcentric.com UserAgentDomain: callcentric.com OutboundProxy: srv.callcentric.com X_ProxyServerRedundancy: Checked Please update this information as soon as possible to restore your calling ability and make sure to *REBOOT* or *RESTART* your device or software. We have experienced attempted *unsuccessful* attacks in the past and have made changes in real-time to stop them as well as to prevent future similar attacks. Many of our security documentation guidelines and features have been geared towards these changes. Unfortunately this is an entirely new type of attack, the mechanics of which are still coming to light. We sincerely apologize for the inconvenience this has caused. We are committed to further protecting our network and for this reason we will continue working with our engineers to implement a proper solution to provide a comprehensive resolution. If you have any questions/concerns regarding this message or if you need assistance in updating your configuration our Support Staff are available to answer your questions in as timely a manner as possible. Upon achieving a resolution, we will be providing as detailed an explanation as possible regarding this issue as well as the resolution. Again, we sincerely apologize for any inconvenience that you have experienced as a result of this matter and we appreciate your understanding during this process. On Fri, Oct 5, 2012 at 4:42 PM, Mitch <mitpatterson@gmail.com> wrote:
Closest thing to instructions is what I pasted On Oct 5, 2012 4:30 PM, "Micah Brandon" <brandon@netsville.com> wrote:
On 10/05/2012 02:38 PM, Mitch wrote:
Call centric is reporting they are experiencing a DDOS style attack using the SIP protocol. My registrations are just timing out.
There twitter is being updated: https://twitter.com/Callcentric They are also posting updates to customers when the log in. According to the first post regarding this issue on their twitter this is going on hour 17 or so. My logs for asterisk are just filling with registration time outs.
They say in a later tweet that they posted "instructions" to customers regarding changes to make. Have you seen anything like this on your dashboard? _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
participants (2)
-
Micah Brandon -
Mitch