Our ProSBC has an Internet-facing NAP for our subscribers. Its access list is configured to allow registration and calls from a limited IP address range. The domain has a registrar which is a Huawei Softswitch that is located in the LAN.
We have had incidents of toll fraud where (1) criminals tunnel through vulnerable customer routers that are in the accepted IP range, and (2) perhaps through password brute-forcing, they eventually manage to make calls on the system.
Would it be possible from the ProSBC to control or limit this kind of attack? E.g. can we automatically blacklist an IP address if it registers with incorrect password for a set number of times, to prevent password bruteforcing? Or, blacklist an IP address that is generating more than an expected amount of traffic, or making calls at a fast rate?
What other suggestions could we use to deal with this problem?
We are, of course, working on the issue of the vulnerable routers themselves, but wanted to see if there are also any mitigations we can employ on the SBC side
Hello. You can block IPs, but it is not automatic - you need to add ACL rules: ACL in ProSBC
It will block traffic from a specific IP if there are too many requests in a short period of time.
Your situation with the ProSBC facing toll fraud is certainly challenging. One idea you might consider, in addition to the native ACL, is to integrate an external monitoring system or an API-driven dynamic blacklist. For instance, in our IP trunking setup with providers, we’ve implemented a system designed to prevent fraud by auditing all calls. This allows us to dynamically block IP addresses ( or just the phone numbers) after a few repeated failed attempts, effectively thwarting brute-force attacks. Such a system could potentially be adapted to your needs, enhancing security by promptly responding to suspicious activities.Please let us know if you require any assistance.
