- Vladimir Toncar (Kerio)
There is a new type of attack that is aimed at automatic provisioning. The botnets are scanning for TFTP servers and if they discover one, they try to auto-provision a SIP extension from it. We've recently seen a case when this attack was so intensive that it resulted in a denial of service.
Please note that the comment about phone provisioning ("Never make it accessible from the public internet.") in Operator's firewall configuration is there for a reason. It is really excessively risky to open automatic phone provisioning to the public internet. If an attacker "auto-provisions" an extension from your PBX, they will be able to call anywhere at your expense.
If you allowed access to hardware phone provisioning to 'All IP Addresses', please change it something safe NOW. We recommend that you use HW phone provisioning only in your LAN or over a VPN link.
The next version of Operator will not allow the built-in IP address group 'All IP Addresses' to be used for phone provisioning firewall configuration.
For those interested in details, the mentioned attack was using TFTP requests that are typical for Linksys/Cisco SPA phones. Each request contained a different hardware address. It was a relatively stupid brute-force scanning of the address space but there's no guarantee the attackers will not improve over time.
[Updated on: Wed, 22 June 2016 10:50]
Thank you for the warning.
As of today my Operator is secured and only reachable vie VPN (control of course)
Have a great day
Kerio discussion forums are intended for open communication between forum
members and may contain information and material posted by members which may
be useful in learning about Kerio products. The discussion forums are not
intended to provide technical support for any specific product. Any
information implied or expressed in the discussion forums is that of the
posting member. Kerio is in no way responsible for the information posted in
the forums, or its accuracy. Kerio employees may participate in the
discussions, but their postings do not represent an offical position of the
company on any issues raised or discussed. Kerio reserves the right to
monitor and maintain the forums to promote free and accurate exchange of