DDOS / DOS over the telephone network. Knee Defense

Instead of the preface

Already half a year I am a regular reader here, sometimes there are posts or comments - the soul just whines, I want to answer, but there is no access. And then there was such a case, a new client appeared, with an interesting big problem: a new catalog came out and someone started bombing the published numbers with calls.

I think I need to write, maybe someone is interested, and maybe even get an invite ... =)
')
UPD : I got an invite, I am happy as a small child ... =)

Act 1. Scene 1.

In the office of the "victim": an old Elmeg c88m from the company Funkwerk, servicing a dozen lines outside and a little more internal phones, slowly begins to smoke, operators panic, the director smokes and curses a lot, customers and branches in other cities can’t get through ...

Business got up ...
A victim of an “attack” calls friends around in search of a “specialist”, gets my number with a recommendation ... He calls me, tries in two words to explain what happened ... he does not speak clearly, he is clearly nervous, he asks to come now. I couldn’t understand what happened or what the problem was from the phone conversation, I promised to come within two hours.

Act 1. Scene 2.

Arriving at the victim’s office half an hour after the official end of the working hours, I find the tortured director and a couple of operators on the phones trying to call partners and branches to report problems with communication. By this time, the malicious calls had stopped, the lines were free, incoming calls became possible ... but it was late, the official published working hours had passed and customers were lost.

Communication with the support service operator tel. the networks did not give anything except to check the line for operability. Dialing numbers displayed on the phone displays showed that the numbers are missing or unavailable.

An attempt to activate any filters for blocking on a PBX (Funkwerk Elmeg c88m) showed the possibility of holding 100 blocked numbers ... that's all. The system cannot do anything else at all. After some thought, it was decided to take advantage of the capabilities of Soft-PBX Asterisk. Installation experience is there, it should work.

Act 2. Scene 1.

So ... having a dozen external ISDN lines requires more or less professional ISDN technology working under Asterisk. The choice fell on Asteribank from Xorcom on 8 BRI (16 b-channels) and 4 BRI (8 b-channels). That was not at hand, I had to order. Delivery is promised in 3-5 days = (

What to do before delivery? The business is dying, the director is on the verge of collapse, the operators are in panic, the year has already begun so hard because of the economic situation, and here is the opening of the season. Every omission call goes to competitors.

All Asterisk opportunities run through my head and here it is! SIP - solution of all problems: a number is registered with one German SIP-telephony provider (www.sipgate.de), a call is made to the telephone network operator with a request to redirect all incoming calls to a new number, a “box” is put (Athlon II X2 240, 2GB RAM ) with Asterisk under Ubuntu and Asterisk is configured on Sipgate. It remains only to provide operators with SIP-clients and a headset.

As a SIP client, Zoiper and QuteCom were chosen. Zoiper was initially selected, but crashed with an error on half of the computers - QuteCome as an alternative.

It remains to put the script to screen out "bad" calls: use the WaitForSilence function and enjoy life.

Act 2. Scene 2.

The beginning of a new working day: bad calls break through the defense, the situation is not improving. I can finally hear what is happening on the line during a “bad call”, the result is amazing: breathing into the “tube”, long and intermittent ... WaitForSilence does not work.

I watch the flow of calls: the attack is on or from abroad. numbers or no number at all. Ok, I put the lock on two zeros at the beginning of the number and on anonymous calls. Everything…

Peace and quiet in the office, calls are rare, but all in the "topic": customers, partners, branches. The director lights up and begins to smile, the complexion changes to a healthier one. Ladies on their phones happily answer calls, in breaks jokingly call each other DJs because of the headset on their heads.

I calmly leave the office ...

Act 3. Scene 1.

The next day they call me again, complaining about a small number of calls. Suspicion falls on calls "without a number", the number of which is far from small.

After a bit of thinking, I come to the conclusion that the numbers that are now being blocked should be checked for the presence of an intellect - we do a Turing test.

To this end, several replicas were recorded (hello, you called XY, and the most important one, “click 1 to continue”) with the voice of one of the employees. With the help of replicas a short voice menu was created, Asterisk allows any deceptions in this field. Done! The number of calls has increased, the business lives, everything is ok. I leave the client's office (now a client, no longer a victim ...).

Act 4. Scene 1.

The customer’s call notifies me that the sound quality has become worse, the sound is twitching, torn and lost. I come to the office, look at the logs and the Asterk console, find an increased number of parallel calls - the Turing test requires “lifting the handset and playing replicas”. The test just simply eats the channel on the Internet. What happened was a problem for me - the channel is not enough for the required number of calls and it is necessary to switch from the ulaw / alaw (64kbit) codec to gsm (16kbit). I know from my own experience that this is due to an audible deterioration in the quality of communication ... especially when switching from ISDN to SIP with a GSM codec, this is felt very strongly.

But there is nothing to do. I turn gsm on external channels, make a test call - everything is ok. I give the director control and hope for a miracle ... And here it is a miracle! Everything is relative: after all the problems with communication, everyone is satisfied with what is. The hiss and loss of quality on the gsm codec is nothing compared to ulaw / alaw on a “narrow” channel.

Afterword

The company lives, gsm saves. On Monday, Asteribank will come, I will return the system to ISDN, I will leave SIP for every fireman. The blocking script will be optimized. For now: logs are being kept about blocked calls for organs, a statement has been filed with the police, we will see what they can do =)

If the community has an interest in continuing about Asteribank, ISDN, police, and eliminating screenings - I will write ...

PS: please do not kick for language / mistakes ... emigration makes itself felt.