Next Step In Automatic Blacklisting

Christian Stredicke
CEO of Vodia Networks

The internet was designed pretty open. Everyone can send packets everywhere, well that was the idea in the beginning. Firewalls were added later.

One of the big problems when operating a service like a PBX on a public available address is that there are scanners testing IP addresses for vulnerabilities. At times those tests can get a real pain, to the degree that they affect or take down the service. That is called Denial of Service (DoS), not to be confused with the disk operating system which is DOS.

There are funny stories about denial of service, for example the ping of death. In the old times there was a bug where you could take down a PC with just one malformed ping packet.

Today things are a little bit more complicated. But those who have an interest to take services down are also a lot more sophisticated. Because telephone calls are still a valuable resource, VoIP systems are practically constantly under attack. That is why the Vodia PBX has an automatic blacklisting feature for a long time.

The problem with the automatic blacklisting is to keep those out who should not affect or abuse the service, and keep those in who are allowed to use and enjoy the service. The criteria for that is that after a few attempts, the user agent can come up with the right domain, user name and password. If not, the PBX takes action and blocks the address from where the request was coming from. It was working beautifully, and we enjoyed years of relatively smooth operations.

However recently we had more and more problems with devices and users that accidentally took down their office because it shares the same public IP address. The problem is not only because of offices, because of the increasing lack of IPv4 address it also affects unrelated users that are using the same IPv4 address because their carrier puts them into a NAT (especially in South East Asia a common problem). Having one guy randomly taking down his neighbors is not acceptable.

 

The only solution is that we must blacklist specific ports, not the whole IP address. We are currently trying this out with the post 5.2.5 images. The manual access control is still on whole IPv4/IPv6 addresses; but the automatic mechanisms drill deeper now. We hope that this will not have any negative side effects. At the end of the day, the goal is to reduce the number of false alarms and make the algorithm even more robust, and have us enjoy a few more years of relatively few cases where we have to manually take care about denial of service attempts.