Some interesting facts extracted from the article:
For research, I created honeypot what mimics vulnerable PBX.
For emulation, I used Kamailio nodes that send any calls to termination node and answers to OPTIONS and REGISTER.
For every INVITE I recorded From, To, UA, Call-ID, IP and call time.
Termination node has Kamailio with Flask app for preprocessing calls and Asterisk for topology hiding when calls sent to PSTN.
All calls with a cost of more than 2 cents per minute were rejected with code 486.
I used 4 sensor nodes located in NL, DE, SG and NYC.
For 18 days, 254805 INVITE were collected from 296 different IP’s. On average, 860 INVITEs were received from an IP.
Reports about top source IPs, countries of origin and the operator as well as related graphs can be found in the conclusions of the research. Few hints are also provided about how to protect better.
You can read the entire article at:
Thanks for flying Kamailio!