CallCentric "Under Attack"

Discussion in 'UK VOIP' started by (PeteCresswell), Oct 5, 2012.

  1. Their problem reporting page contains the rather-verbose message
    below, but does not tell the customer what to expect.

    Would I be guessing correctly that one thing to expect would be
    busy signals on long-distance calls?

    --------------------------------------------------------------
    Investigation into current problems:
    For the past two days we have been experiencing a sophisticated
    type of attack. As soon we noticed the first attempt we commenced
    an immediate physical upgrade to all of our servers increasing
    capacity and CPU power by a factor of four in addition to other
    precautions. Unfortunately even though this is similar to a
    "typical" DDoS attack it is targeted specifically at the SIP
    protocol and causes server load to increase to 100% within 1
    minute of initiation. As such, standard and extraordinary
    prevention measures were unable to prevent it. We do not know the
    specific methodology of the attack but are aware that it is
    *similar* in effect to a DNS TRASH flood attack. We are
    performing forensic analysis on the data we have and are
    capturing traffic to find an exact reason and solution.

    We would like to clarify that there was no intrusion into our
    network and all of our servers switches and internet connections
    have been functioning *normally* throughout the entirety of this
    concern. None of our equipment or interlinks were disconnected or
    went down. Additionally please note that all of your information
    is encrypted, safe and secure; and that NO customer data was
    stolen NOR destroyed.

    We have experienced attempted *unsuccessful* attacks in the past
    and have made changes in real-time to stop them as well as to
    prevent future similar attacks. Many of our security
    documentation guidelines and features have been geared towards
    these changes. Unfortunately this is an entirely new type of
    attack, the mechanics of which are still coming to light.

    ..... (more stuff snipped)
    --------------------------------------------------------------
    --
    Pete Cresswell
    (PeteCresswell), Oct 5, 2012
    #1
    1. Advertising

  2. Per (PeteCresswell):
    >Investigation into current problems...


    I got an email from the provider, but understanding it appears tb
    somewhat beyond my current pay grade.

    They want me to change my "Outbound Proxy to one of three values
    depending on some thing if no clue about:

    ------------------------------------------------------------------
    Outbound proxy:

    sip.callcentric.com - For clients *ONLY* able to use A records
    srv.callcentric.com - For clients able to use DNS SRV
    bypass.callcentric.com - For clients able to use DNS SRV
    ------------------------------------------------------------------

    Can anybody shed some light? Maybe something I can do to
    determine which category I fall under?

    FWIW my current Outbound Proxy = "CallCentric.com"

    If I had to guess, I'd say "DNS SRV" = "DNS Server"

    If that's the case, I guess it'd down to choosing between the
    second two addresses.

    ??
    --
    Pete Cresswell
    (PeteCresswell), Oct 6, 2012
    #2
    1. Advertising

  3. (PeteCresswell) wrote:

    >
    > sip.callcentric.com - For clients *ONLY* able to use A records
    > srv.callcentric.com - For clients able to use DNS SRV
    > bypass.callcentric.com - For clients able to use DNS SRV
    > ------------------------------------------------------------------
    >
    > Can anybody shed some light? Maybe something I can do to
    > determine which category I fall under?


    Not without knowing what client you are using.
    David Woolley, Oct 6, 2012
    #3
  4. On Fri, 05 Oct 2012 15:37:47 -0400, "(PeteCresswell)" <> wrote:

    > Their problem reporting page contains the rather-verbose message
    > below, but does not tell the customer what to expect.
    >
    > Would I be guessing correctly that one thing to expect would be
    > busy signals on long-distance calls?


    I am getting "registration failed" results from both my Gigaset and Bria
    softphone and no connection, let alone busy signals, from attempts at
    outgoing calling. Is anyone seeing something different?
    Anthony R. Gold, Oct 6, 2012
    #4
  5. Per Anthony R. Gold:
    >On Fri, 05 Oct 2012 15:37:47 -0400, "(PeteCresswell)" <> wrote:
    >
    >> Their problem reporting page contains the rather-verbose message
    >> below, but does not tell the customer what to expect.
    >>
    >> Would I be guessing correctly that one thing to expect would be
    >> busy signals on long-distance calls?

    >
    >I am getting "registration failed" results from both my Gigaset and Bria
    >softphone and no connection, let alone busy signals, from attempts at
    >outgoing calling. Is anyone seeing something different?


    I got a response from them yesterday.

    The fix for me on my SPA3102 was to change Voice > Line 1 >
    Outbound Proxy from "callCentric.com" to "srv.callcentric.com".

    Didn't try to use my instance of Bria during the problem period,
    but it just worked for me now on a long-distance call.
    --
    Pete Cresswell
    (PeteCresswell), Oct 7, 2012
    #5
  6. On Sun, 07 Oct 2012 09:22:18 -0400, "(PeteCresswell)" <> wrote:

    > Per Anthony R. Gold:
    >> On Fri, 05 Oct 2012 15:37:47 -0400, "(PeteCresswell)" <> wrote:
    >>
    >>> Their problem reporting page contains the rather-verbose message
    >>> below, but does not tell the customer what to expect.
    >>>
    >>> Would I be guessing correctly that one thing to expect would be
    >>> busy signals on long-distance calls?

    >>
    >> I am getting "registration failed" results from both my Gigaset and Bria
    >> softphone and no connection, let alone busy signals, from attempts at
    >> outgoing calling. Is anyone seeing something different?

    >
    > I got a response from them yesterday.
    >
    > The fix for me on my SPA3102 was to change Voice > Line 1 >
    > Outbound Proxy from "callCentric.com" to "srv.callcentric.com".
    >
    > Didn't try to use my instance of Bria during the problem period,
    > but it just worked for me now on a long-distance call.


    Thanks but that did not work for me. Indeed I can not even get DNS resolution
    for hostname srv.callcentric.com.
    Anthony R. Gold, Oct 7, 2012
    #6
  7. Per Anthony R. Gold:
    >Thanks but that did not work for me. Indeed I can not even get DNS resolution
    >for hostname srv.callcentric.com.


    It's still working here.

    But I cannot ping srv.callcentric.com either.

    The explanation is probably in AlexD's post, but I haven't parsed
    it yet.
    --
    Pete Cresswell
    (PeteCresswell), Oct 7, 2012
    #7
  8. On Sun, 07 Oct 2012 20:49:42 +0100, alexd <> wrote:

    > Anthony R. Gold (for it is he) wrote:
    >
    >> Thanks but that did not work for me. Indeed I can not even get DNS
    >> resolution for hostname srv.callcentric.com.

    >
    > Ditto, but see below.
    >
    > One of the functions of SRV is that it allows a user to just tell the application the domain name
    > of interest, and the application follows a certain convention from that in order to locate the
    > DNS entries of interest. For example, if I want to speak SIP over UDP to callcentric.com:
    >
    > $ dig _sip._udp.callcentric.com SRV
    >
    > ;; QUESTION SECTION:
    > ;_sip._udp.callcentric.com. IN SRV
    >
    > ;; ANSWER SECTION:
    > _sip._udp.callcentric.com. 3 IN SRV 20 0 5080 alpha4.callcentric.com.
    > _sip._udp.callcentric.com. 3 IN SRV 20 0 5080 alpha5.callcentric.com.
    > _sip._udp.callcentric.com. 3 IN SRV 20 0 5080 alpha6.callcentric.com.
    > _sip._udp.callcentric.com. 3 IN SRV 20 0 5080 alpha7.callcentric.com.
    > _sip._udp.callcentric.com. 3 IN SRV 20 0 5080 alpha8.callcentric.com.
    > _sip._udp.callcentric.com. 3 IN SRV 20 0 5080 alpha9.callcentric.com.
    > _sip._udp.callcentric.com. 3 IN SRV 20 0 5080 alpha1.callcentric.com.
    > _sip._udp.callcentric.com. 3 IN SRV 20 0 5080 alpha2.callcentric.com.
    > _sip._udp.callcentric.com. 3 IN SRV 20 0 5080 alpha3.callcentric.com.
    >
    >
    > the answer being, port 5080 to any one of alpha1 - 9, because they all have equal priority [20]
    > and weighting [0]. Although, sticking .srv in there does give a slightly different result:
    >
    > ;; ANSWER SECTION:
    > _sip._udp.srv.callcentric.com. 60 IN SRV 20 0 10123 alpha1.callcentric.com.
    > <snipped as they're all in order>
    > _sip._udp.srv.callcentric.com. 60 IN SRV 20 0 10123 alpha9.callcentric.com.
    >
    >
    > Some other examples:
    >
    > ;; ANSWER SECTION:
    > _sip._udp.sipgate.co.uk. 2122 IN SRV 0 0 5060 sipgate.co.uk.
    >
    > ;; ANSWER SECTION:
    > _sip._udp.voip.co.uk. 120 IN SRV 0 0 5060 i-cscf-03.a.synergy.voip.co.uk.


    Thanks. I guess my Gigaset does not support SRV records.
    Anthony R. Gold, Oct 7, 2012
    #8
  9. On Sun, 07 Oct 2012 16:56:29 -0400, "(PeteCresswell)" <> wrote:

    > Per Anthony R. Gold:
    >> Thanks but that did not work for me. Indeed I can not even get DNS resolution
    >> for hostname srv.callcentric.com.

    >
    > It's still working here.
    >
    > But I cannot ping srv.callcentric.com either.
    >
    > The explanation is probably in AlexD's post, but I haven't parsed
    > it yet.


    Maybe a couple of issues here. First, maybe srv.callcentric.com is not even a
    hostname with an A record, according to alexd's theory. But second, even if
    it was a host name it likely would not be responding to pings anyway - See:

    http://www.callcentric.com/faq.php?s_go=1&search=ping&go=Search#102

    But finally, Callcentric is registering again using its main host name.
    Anthony R. Gold, Oct 7, 2012
    #9
  10. (PeteCresswell), Oct 8, 2012
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Boomer
    Replies:
    2
    Views:
    377
    Boomer
    Aug 15, 2003
  2. Lord of Darkness

    Re: Microsoft websites under attack, currently being DOSsed.

    Lord of Darkness, Aug 18, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    403
    Lord of Darkness
    Aug 18, 2003
  3. Cory
    Replies:
    0
    Views:
    388
  4. uandeye
    Replies:
    1
    Views:
    612
    John Smith
    Dec 13, 2005
  5. Andrei Alexandrescu (See Website For Email)

    SIP client setup for callcentric, callwithus, and voicestick

    Andrei Alexandrescu (See Website For Email), Feb 3, 2008, in forum: VOIP
    Replies:
    2
    Views:
    6,753
    Andrei Alexandrescu (See Website For Email)
    Feb 3, 2008
Loading...

Share This Page