paulhsu / csipsimple

Automatically exported from code.google.com/p/csipsimple
1 stars 1 forks source link

Problems with new CallCentric settings #2013

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
CallCentric has suffered a major DDoS attack over the last two days. This has 
prevented many of us being able to register to their servers. As a result, they 
have published on their my.callcentric.com web site, new settings to use as a 
work-around.

The new settings involve the use of a Proxy server.  They have offered several 
proxies, two for clients that do DNS SRV lookups and a third for clients that 
do not support SRV lookups.

But with the new settings, while I am able to again register with CallCentric 
using CSipSimple, I cannot make calls.

What steps will reproduce the problem?
1.  Change to new CallCentric settings.
2.  Attempt to make call.
3.  Receive either "404 / Not found" or "483 / Too many hops" errors.

What is the expected output? What do you see instead?
Using the recommended CallCentric proxy for DNS SRV with SRV lookups enabled:
When Transport is forced to UDP, get "404 / Not found" error.
When Transport is set to Auto, get "483 / Too many hops" error.
All calls fail.

Using the alternate recommended CallCentric proxy for no DNS SRV and disabling 
use of SRV lookups in Network >> Settings:
Call appears to go through ok, but there is no audio.

What version of the product are you using? On what operating system?
Latest CSipSimple nightly.
Android ICS CyanogenMod (SpazeDog).
Phone is Nexus One.

Please provide any additional information below.
I have a ticket open with CallCentric and have provided them with the complete 
set of CSipSimple settings.  Will report back here if they suggest anything 
useful.  In the meantime, if anyone here has suggestions, please post.

Original issue reported on code.google.com by jropal...@gmail.com on 6 Oct 2012 at 9:39

GoogleCodeExporter commented 9 years ago
Seems their server are laggy but I got the "tell me" test number working.

To do so :
 - Create your account with callcentric wizard as usually
 - Save
 - Long press the row and choose "Change wizard" and select the "Advanced" wizard (in generic section)
 - Edit last field about proxy and set "srv.callcentric.com;hide" (take care that the ";" doesn't add an extra space).
 - Save. Go in settings (optionally ensure that DNS SRV is enabled in network settings), and press back twice. It should register. And you should be able to make calls.

A leave the issue open so that other users can find it. Also seems short term 
workaround so for now no need for me to change the wizard, but if they decide 
to make theses settings definitive I'll do.

Original comment by r3gis...@gmail.com on 6 Oct 2012 at 11:27

GoogleCodeExporter commented 9 years ago
I get a lot of timeout error when registering however. Seems problems with the 
servers and doesn't depends on the config. The one I indicated in last post 
should be good.

Original comment by r3gis...@gmail.com on 6 Oct 2012 at 11:30

GoogleCodeExporter commented 9 years ago
Yes, adding the ";hide" suffix does allow calls to complete with audio.  That's 
the key.

I am not having problems with registering (at the moment) but the audio quality 
on the call is somewhat broken-up.  The Tell-Me, for example, had occasional 
stutter and the robot seemed to be having a hard time understanding what I said 
to it.  But it is at least somewhat usable again.

I will report this on my CallCentric ticket too, so that they can add a note 
for other users.

Original comment by jropal...@gmail.com on 6 Oct 2012 at 11:49

GoogleCodeExporter commented 9 years ago
Using the "bypass" proxy instead of the "srv" proxy seems to result in better 
audio quality and fewer registration timeouts.

Original comment by jropal...@gmail.com on 6 Oct 2012 at 12:00

GoogleCodeExporter commented 9 years ago
Hope you know posting the details on the temporary workaround they posted for 
customers only allowed the attackers insight to adjust their targets and now 
everyone is down because of posts like this.

Original comment by techma...@gmail.com on 6 Oct 2012 at 7:20

GoogleCodeExporter commented 9 years ago
Your comment is utter rubbish, techma.

Did you consider that the attackers may be CallCentric customers themselves and 
therefore directly able to read CallCentric's own work-arounds?

Security is not achieved through obscurity.

Original comment by jropal...@gmail.com on 6 Oct 2012 at 7:23

GoogleCodeExporter commented 9 years ago
+1 for jropal

Real security is never about hiding code/configuration. 
Opensource software like Linux, Firefox etc are good examples that better 
security is achieved by opening things and allowing everyone to review. 

And in this particular case, even for a temporary workaround, anyone can have 
the information as soon as he create a free callcentric account. And there is 
many chances attackers had *at least* one ! I would be very surprised if not - 
all the more so as the kind of attack seems an not obvious one and means that 
the attackers have probably prepared it a lot and probably have created 
accounts. 

Other point, if it's something with DNS involved into attack, I would advise to 
configure with IP rather than configuring with DNS name.
It will avoid dns resolution and so avoid any problem during this part.
So you can choose one of their IP (with the ;hide parameter). They have sip 
proxy servers IP, so just choose one randomly (if users doesn't choose all the 
same it should result in same thing that what results using DNS names).

Original comment by r3gis...@gmail.com on 6 Oct 2012 at 8:22

GoogleCodeExporter commented 9 years ago
Apparently Callcentric services are back.

Be sure that DNS SRV option (in network settings part) is enabled so that 
you'll not all use the same server as entry point and relax their servers. It's 
already the case if you used the dedicated wizard.

Original comment by r3gis...@gmail.com on 21 Oct 2012 at 12:33

GoogleCodeExporter commented 9 years ago
my business couldn't wait for callcentric issue to be solved. Additionally, 
there's no proof that these issues won't reoccur. However, that helped me in 
making an important decision. Running my own SIP server. Since many of my 
colleagues are around the world, I can free calls internally, and register with 
ipkall for free DIDs, so that people from other networks can call me. I made my 
service public too, so you can freely register and use it: www.freelycall.com

Original comment by steelman...@gmail.com on 20 Nov 2012 at 2:01

GoogleCodeExporter commented 9 years ago
@comment 9 : congrats for this new service. If you'd like to be listed as a 
wizard, do not hesitate to share settings optimized for your service. See : 
http://code.google.com/p/csipsimple/wiki/AddASipProvider?wl=en

Original comment by r3gis...@gmail.com on 20 Nov 2012 at 2:34

GoogleCodeExporter commented 9 years ago
thanks!
I have sent an email to developers with the details requested in that page :)
the subject is "adding FreelyCall provider"

Original comment by steelman...@gmail.com on 20 Nov 2012 at 4:25