International Journal for Information Security Research (IJISR), Volume 9, Issue 1, March 2019Analysis of a PBX Toll Fraud HoneypotN. McInnes, E.J. Zaluska, G. WillsSchool of Electronics and Computer ScienceFaculty of Engineering and Physical SciencesUniversity of SouthamptonUnited KingdomAbstractOrganisations are moving over from legacytelecommunications to Voice over IP (VoIP), enablinggreater flexibility, resilience and an overall costreduction. Session Initiated Protocol (SIP) isconsidered to be the main VoIP protocol in thebusiness–to-business market, but the correctimplementation and configuration is not always wellunderstood. The failure to configure SIP systemscorrectly has led to significant fraud exploiting arange of vulnerabilities and billions of dollars everyyear being stolen from companies of all sizes throughPBX Hacking via the medium of Toll Fraud. Previousresearch into this area is now dated but suggestedfast-changing approaches by attackers. Industryorganisations such as the Communications FraudControl Association (CFCA) acknowledged this is afast-growing problem. To quantify the size of thecurrent problem, a Honeypot experiment wasundertaken using a popular phone system used bybusinesses. The Honeypot ran for 10 days andrecorded just under 19 million SIP messages. Thisresearch has identified attackers are using varioussophisticated methods to attempt to gain access andtrick a PBX into making calls. When comparingprevious research, the rate of attack is approximately30 times more aggressive and the countries fromwhere attacks originate are distributed over greater flexibility over their communicationseco system.However, as the market for VoIP paid calls grows,it also increases the possibility of misuse and fraud.Billions of dollars a year is being lost through variousactivities such as toll fraud, where calls are made tophone numbers (through a hacked component) wherethe calling party receives revenue from such calls atthe expense of the victim – completely unknown andundetected until they receive their telephone bill [1].Annual fraud figures published by theCommunications Fraud Control Association (CFCA)suggest that around 38 billion are lost to fraud [2]and PBX hacking itself has increased by over 60%resulting in losses of over 7 billion in 2015 [3]. Thiscrime is now becoming such a concern, nationalbodies such as the City of London Police through itssubsidiary ‘Action Fraud’ are specifically nowcollecting details about this kind of crime [4].Previous research using VoIP Honeynets to assessthe impact of attackers is now over 5 years old. Oneof the results of these early studies was that theattackers changed their behaviour over time [5]. Thisarticle provides a comparison and discusses themethodology and results of a Honeypot experimentthat ran for just 10 days to provide an up-to-date viewon the attack methods currently being used byattackers.1. Introduction2. Background LiteratureVoice over Internet Protocol (VoIP) is a group ofprotocols that enables voice communication over anIP network.Current telephone networks are in the process ofmoving from a closed legacy approach in networkdesign (traditionally copper cable infrastructure usingSignalling System No. 7 (SS7) technologies) to anopen approach based on other mediums (for instanceIP). This transition enables telephone costs to besignificantly reduced, it also enables users of suchAhmed et al. states many consumer-based servicesare value-added and peer-to-peer in nature, oftenusing their own proprietorial protocols [6] (Skype,Viber and WhatsApp are examples). In these cases,protocols are closed, custom built and have dedicatedmobile phone applications.In comparison, business services typically focuson interoperability, because most businesses want touse existing equipment, which requires the use of acommon protocol. As suggested by Abdelnur et al,SIP is the-IETF recommended protocol for VoIP. [7].Copyright 2019, Infonomics Society821

International Journal for Information Security Research (IJISR), Volume 9, Issue 1, March 20192.1. SIPSIP is the industry recommended VoIP Protocolfor interconnectivity and an open standard (IETF RFC3261) [8]. This has enabled a number ofmanufactures, namely Cisco, Avaya, Yealink andsoftware vendors such as Asterisk, Sangoma,Freeswitch to build products and platforms that worktogether.SIP works by separating a phone call intosignalling and media elements [9]. The signalling,which carries messages containing the initial callmessage to begin a session (called an ‘Invite’)includes the initial call details such as destinationnumber, origination number and other parameterssuch as privacy information and audio codec to beused. This is usually on User Diagram Protocol (UDP)port 5060 [8]. The audio channels are set up on 2random UDP ports (for example in the case ofAsterisk these ports are between 10,000-20,000 for bidirectional audio).SIP uses Uniform Resource Identifiers (URI)adopting the following format: SIP/[email protected][10]. This approach is similar to other web protocols,for instance a web URL or File Transfer Protocol(FTP) address.SIP is regularly used in one of 2 modes dependingon the context it is to be used within: IPAuthentication or Registration (to be able to identifya user). IP Authentication is regularly used for SIPtrunking (equivalent to a trunk line) between aprovider’s switch and a customer’s Private BranchExchange (PBX), where registration is most oftenused to register a handset to a PBX.IP authentication requires a PBX to have adedicated public IP where the PBX is public facing.For the scope of this article, it is usually at thisinterface that attacks from the Internet will occur.2.2. Private Branch Exchange (PBX)A PBX is a phone system that is usually locatedinside a business’s office and has desk phonesconnected to it. PBXs originally had complexcommand line interfaces, however as webtechnologies have improved more PBXs have enteredthe market with easy-to-use Graphical User Interfaces(GUI).User devices can regularly change IP, therefore adevice needs to periodically register with a SIP server.This can be to a PBX to reconfirm where to sendInvites (for receiving or making a call) [11].Registration is performed by username and passwordauthentication and is used between a PBX and adevice (e.g. handset), although both types can be usedin other use cases (i.e. a trunk can also beusername/password based). Fig. 1 shows a normal usecase of how the SIP protocol is used in businesscommunications.Copyright 2019, Infonomics SocietyFigure 1. Normal Business SIP Use CaseMany workers work remotely (home workers).This requires a firewall to accept incoming trafficfrom the general internet. This introduces new sets ofchallenges that PBX owners need to consider. Toachieve this use case, a PBX generally requires adedicated public IP.A PBX having a dedicated IP allows a business notonly to be able to connect to their provider using IPAuthentication, but supports working patterns that arebecoming more popular in a changing society. Forinstance, teleworking which can involve workingfrom home or on the go. However, due to the natureand impracticality and shortage of IPv4 addresses, notmany mobile devices or consumer broadband services(which a VoIP phone would connect to) have adedicated IP. This presents a challenge to businessesof how to limit access to the PBX through a firewall.2.3. VoIP Vulnerabilities and Types of AttacksMany potent VoIP vulnerabilities have beenidentified. Rebahi et al. studied more than 220different vulnerabilities [12]. Proprietorial software,services and open source all appear to have their ownvulnerabilities.Skype users have reported account breaches via alogin vulnerability (weak credentials) or SIP notencrypting signalling or media.In contrast, Sengar suggests that most SIPvulnerabilities are not due to the weaknesses in theprotocol itself, but result from poor SIP credentialsand misconfigured systems [13]. Other researcherssuch as Hoffstadt et al. [14] and Gruber et al. [15]support this assessment.2.4. PBX Penetration StudiesHoffstadt et al. [14] from the University ofDuisburg, Essen, Germany have become leadingresearchers in VoIP Attacks for fraudulent purposes.Their paper presented at the IEEE 2012 Conferenceon Trust, Security and Privacy in Computing andCommunications began with them building aHoneynet (a collection of Honeypots) setup as anIntrusion Detection System (IDS), located inGermany and the USA.This Honeynet collected over 47.5 millionmessages over approximately a 2-year period.Hoffstadt et al. used a novel method to collect not onlymessages contacting their systems, but also the entiresubnet (monitoring the Level 3 Switch). On building822

International Journal for Information Security Research (IJISR), Volume 9, Issue 1, March 2019the Honeynet, Hoffstadt et al. analysed previous workand established low level interaction Honeypots haveweaknesses by not being able to provide full overviewand only enable basic "fingerprinting". Hoffstadt et al.identified that considerable amounts of data will beavailable and could use Packet Capture (PCAP) andUDP Sockets for SIP Traffic analysis. They did thisby building 2 networks, one with SIP components, theother without.Hoffstadt et al. [14] discovered that to determine ifa device is SIP enabled, attackers would send outOption messages to probe whether a device is SIPenabled or not (where the device would reply if itwas). An Option is a message sent out to a SIP serverwhich replies with a list of features it supports. Thisled Hoffstadt et al. categorising an attack into 4 stages[14]: SIP Server Scan – Scan IP with Optionmessages looking for repliesExtension Scan – Scan for extensionslooking at differences in error messages n Hijacking – Using dictionaryattacks on extensionsToll Fraud – Making successful calls.In Essen’s analysis of the signalling details,Hoffstadt et al. noted that tools such as SIPViciouswere being used to automate an attack. This confirmsclaim by Ronniger et al. that there are tools availableto attack VoIP Infrastructures [16].Hoffstadt et al. established that once a non-SIPcomponent was open to the public internet, it appearedto be continually under Option attacks [14].In contrast, when a SIP component replied, littleto no Options were further received, but attackersmoved onto stage 2. Stage 3 of the attack usedtypically 10,000 various usernames with differentpassword combinations (over 55,000 attempts) whichtook a little over a minute to complete. Onsuccessfully registering, it was observed that aftersome time, Toll Fraud began (stage 4) where variousprefixes (numbers) were used to dial out (i.e. 011 foran international line the US and 00 for an internationalline in Germany) [14].Although most attacks were automated whenscanning and brute forcing, the author discovered thatstage 4 would happen several months aftersuccessfully registering with an extension [14]. Thevictim may have difficulties in researching the hackas evidence may already have been destroyed bynatural log cycles in order to save storage space.In further papers [17], Hoffstadt et al. extend theirwork to introduce logic. This allowed them todynamically create extensions where that extensionwas being probed by giving the impression theextension is valid.Copyright 2019, Infonomics SocietyFurthermore, a system was introduced to answercalls for random periods to simulate a call. Thisenabled Hoffstadt et al. to follow attackers from stage1, where multiple IP addresses may be involved [17].Later on, Hoffstadt et al. created a Generic AttackReplay Tool (GART) allowing the replaying ofattacks by capturing key information to assist inbuilding tools that can detect and prevent attacks at alater date [18].Repeated studies found that once an attacker hasgained access, they attempt to call premium-ratenumbers or high-cost numbers in various countries,suggesting attackers earn money for doing so [14,15].Gambia, Palestinian territories and Somalia appear tobe regularly attempted. Gruber et al. goes furthersuggesting that most calls go to African countries [5].Since 2011, researchers at Vienna University ofTechnology have also been running a Honeynet. Theirfindings coincide with Essen’s in that many calls wereto African countries (Ethiopia and Egypt) and whenattempts are made, most of the time the attempt ismade from an Egyptian IP address [15].Researchers at the University of Duisburgpartnered with Researchers at the Network SystemsGroup to develop novel methods for implementingand improving monitoring nodes around distributedHoneynets with monitoring points in China, Norwayand Germany. This reconfirmed their initialconclusions that attackers scan large segments of theinternet. Moreover, they determined not all attackerswere involved in the different stages of attacks,concluding that attackers share information aboutpotential victims with other attackers [19].3. MethodologyResearchers at Essen and Vienna, both developedHoneynets (the collection of Honeypots) to monitorSIP messaging at different geographical locations.These studies did not facilitate the use of a PBX, butonly certain software engines used by PBX software.At the SIP Signalling level, messages can containmetadata regarding the software configurations andversions to replies in Invites, Options and Registrationrequests. This requires a high interactive Honeypot.To meet the requirements of having a highinteractive VoIP engine, the decision was taken to usea popular open source PBX software package knownas FreePBX.FreePBX is a feature rich platform, which claimsover 1 million installs. This means that if hackers areactively seeking out VoIP Systems to attack, then thiswould be a good candidate because of its wideinstallation base.As FreePBX is lightweight in nature, a VirtualMachine is sufficient to run the Honeypot which islocated in the United Kingdom. In this experiment, theHoneypot would reply with the Server type as FPBXVERSION where VERSION is the version of823

International Journal for Information Security Research (IJISR), Volume 9, Issue 1, March 2019FreePBX being used in the SIP Messaging. FreePBXis built on top of the Open Source Asterisk Engine.TABLE 1.Username(Extension)3.1. PBX ConfigurationFor ease of setup, monitoring and collecting data,it is important that the PBX is setup in a way whichmaximises opportunities to collect and study how aPBX hack attempt has occurred while minimising andreducing risk.The overall goal is to study a hack attempt, not toallow the system itself to get infected by malware orsimilar. Certain flows will be allowed to allow tollfraud, but overall the system is to be locked down andno actual calls can be made as it is not connected to aphone provider.The PBX is installed via the ISO disk imageprovided by FreePBX which allows a straightforwardinstallation. The ISO is built on the Linux Centos 7Operating System.FreePBX comes with several built-in securityfeatures such as Fail2ban which will block an IP for aperiod of time if the incorrect credentials are provided.However, for the purpose of this experiment to assistin obtaining a full understanding of the scale of thecurrent problem, Fail2ban was disabled. (LeavingFail2ban enabled could limit the number of attacks onthe PBX.)To secure all ports, the Virtual Machine (VM)provider provides a free virtual firewall whichprovides the ability to block all connections except aselect few TCP and UDP ports.For the purpose of this experiment the followingports were opened and monitored: TCP: 5060-5070UDP: 5060-5070, 10,000-20,000As shown by Hoffstadt et al. [14] and Gruber et al.[15], attackers would scan extensions looking at thereplies to determine if an extension exists. Therefore,to trigger different responses, various extensions havebeen created to provide an illusion of a live productionsystem (reinforcing metadata replies to SIP requests).These extensions can be seen in Table 1.To record SIP interactions on the PBX, differentmethods could be used. SIP interactions could berecorded in the Asterisk log or via a Packet Analysis.Packet Analysis is preferred over the Asterisk Log asit allows for detailed inspection of all events that occurover the network interface of the system which maynot be recorded via the Asterisk Log.Using a utility such as Wireshark, knowledge wasgained to determine whether previous findings inprevious studies are still valid and what newtechniques are being used. Wireshark also containstools that were used for summarising certain types ofSIP events using tools such as SIP statistics that is partof Wireshark. For these reasons, Wireshark was used.Copyright 2019, Infonomics SocietySAMPLE EXTENSIONS CREATED 500150015003dfdfSDG3435sIn addition to the above, using the Virtual MachineProvider’s Tools, Bandwidth Data and MachineResources will be monitored to see what impact if anyan attack has on the VM.The specification of the Virtual Machine was 1 x2.4Ghz Intel virtual core with 1024gb of RAM andSSD storage.4. ResultsThe data analysed was collected over a 10-dayperiod (24th September 00:00 BST – 3rd October 23:59BST 2018). During this period, just under 19 millionSIP messages were received from malicious actors.These were split into the following SIP MessageTypes as seen in Table 2. For the purpose of thisexperiment, Register, Invite and Option has themeaning set out by IETF RFC 3261 [8]. For instance: Register allows the PBX to know wherethe device connecting to it is.Invite contains parameters on a call andInvites a device to begin a session.Option allows a device to understand thecapability of another device.The IP of the Honeypot was not publicly advertisedand real devices were not connected to the SIP system.Therefore, it can be presumed that all inward SIPtraffic was malicious.During the period the Honeypot ran, less than0.02% of all registration attempts successfullyregistered where the only successful registrations waswhen the password was the same as the extension.When analysing packet data to investigate credentialcombinations, some attempts were with the samecredential combination. The attack on the 3rd Octoberwere all with the same credential combination.824

International Journal for Information Security Research (IJISR), Volume 9, Issue 1, March 2019TABLE 2.DAILY BREAKDOWN OF SIP MESSAGETYPES RECEIVEDSIP Message Type ,215876destinations across 886 subnets. Fig. 3 demonstratesthese in detail. Where countries not shaded were notwitnessed, but the darker the shade, the more IP /24subnets that were observed.Figure 3. Attack IP /24 Subnet Country Origination(attack sources)This data is further broken down by top countriesof observed IP /24 subnets in Table 3. This displaysthe highest to lowest of how many IP /24 subnets (4thOctet removed) were observed from each country.TABLE 3.TOP COUNTRIES OF IP /24 SUBNETSOBSERVED4.1. System ResourcesDuring the 10-day period the Honeypot ran,approximately 20GB of SIP traffic was recordedwhich averaged 2GB per day due to inward SIPMessages.The highest average bandwidth utilisationrecorded by the Virtual Machine provider was600Kbps. The highest average CPU utilisationrecorded by the Virtual Machine was 30% and theaverage SIP dictionary registration attack was for 12hours (excluding 3rd October). During these times theabove average results of bandwidth and CPUutilisation were observed during the period. Fig. 2shows an IO graph exported from the Wireshark toolwhich demonstrates the intensity of packets persecondDestinationNumbers observedof individual IP /24SubnetsUnited States157Brazil113France96China80Russian 0Indonesia17Iran16Palestinian Territories15Other235Figure 2. Data IO Graph 24/9/20184.2. Attack OriginationDuring this experiment, the highest number of IP/24 subnets observed was from the United States,although not displayed in Table 3, only 7 /24 subnetswere witnessed from the United Kingdom.The PBX was attacked from multiple sources. Ourexperiment observed IP subnets from over 75Copyright 2019, Infonomics Society825

International Journal for Information Security Research (IJISR), Volume 9, Issue 1, March 20194.3. Volume of AttacksIn section 4.2, it was claimed that the United Stateswas the most frequent country by different IP /24subnets to attempt to gain access in some way to thePBX Honeypot. Yet, this does not necessarily meanthat most attacks were witness from the United States.Instead, as displayed in Fig. 4, the most amount ofdata transferred were based on attacks whichoriginated from the Netherlands.TABLE 4.USER AGENTS DETECTEDRegister Vaxsipuseragent/3.1 MGKsip release 1110 VoIPSIP V11.0.0 Eyebeam FPBXInvite Linksys-SPA924 SIPCLI/V1.8 (some were V1.9) Pplsip voipxx Various random characters:Figure 4. Top Countries by Data TransferredThe majority of traffic from the Netherlands andIceland originated from 1 IP /24 subnet, where incomparison it was balanced for French, Russian andUS IP subnets.4.4. 3rd October Registration AttackThe attack witnessed on the 3rd October 2018 wasmultiple times bigger than any other attack. Instead ofthe approximate 12-hour attacks (Fig. 2) witnessed onother days, 3rd October had a continual 24-hour periodattack (with a short break in between) where 7.2million registration attempts were made. The useragent used in the SIP messaging appeared to be fromMGKsip release 1110. This attack intensity can beseen in Fig. 5.Figure 5. Data IO Graph 3/10/2018 Attack4.5. User AgentsDuring the 10 days the Honeypot ran, various useragents appear to have been used by third parties tosend messages to the system were observed.Copyright 2019, Infonomics Societyozazann,ozxcvfdf11Option Friendly-scanner Avaya Cisco-sipgateway/IOS-12.X sipviciousSome of these were a combination of randomletters and numbers, others were known user agents,desk phones or phone systems. The breakdown basedon SIP Message type can be seen in Table 4.4.6. Unauthenticated Invite AttemptsIt was observed that third parties were attemptingto dial the PBX without prior authenticating bysending Invites. Attackers usually attempted to callreal phone numbers by trying different prefixes infront of the number. This concept is similar to that ofdialling 9 for an outside line. Hundreds, if notthousands of variations were observed for many of thenumbers attempted. For example: 9[number]900[number]*9[number] [number]What is of interest is that almost all Invitemessages were setup to originate from the HoneypotIP address. For example, in the “from” header in theInvite, instead of it normally containing the826

International Journal for Information Security Research (IJISR), Volume 9, Issue 1, March 2019origination number and IP of the device that generatedthe call, it would mostly be a valid extension on thePBX and the IP of the PBX. For example,[email protected] this experiment, the majority of call attempts(Invites) were to United Kingdom phone numbers,even though the United States used the most amountof numbers. In total, calls were attempted to 25different countries (26 if you include internalextensions). Table 5 shows in more detail thecountries where different numbers were observedalong with their corresponding percentage of callattempts based on individual calls (which can containmultiple Invites) being attempted.Overall there were 58,215 Invite messages, butonly 44,157 call attempts. On some occasions theHoneypot was sent the same Invite multiple times, buton many other occasions an attacker would attempt tosend a call attempt without prior registering, theHoneypot would then reply back with a “401Unauthorised” SIP message, where the attacker wouldthen send another Invite but this time with variouscredentials. Table 5 displays the percentage of thesecall attempts for each country.TABLE 5.NUMBERS OBSERVEDNumbersobservedDestination% of callattemptsUnited States444.2%United 3%Internal Ext.51.7%Sweden40.4%Russia30.1%Other220.0%What is of particular interest, is call attempts toPoland where these call attempts would use very longprefixes. Unlike other countries where there waspotential logic for attempting to dial out (variouscombinations for 9 or 8 etc. for an outside line), inmany cases, the prefixes were 6 or more numberslong.Copyright 2019, Infonomics SocietyFigure 6. Top countries where Invites originatedfrom based on IP /24 SubnetsThe countries where the Invites were originatedfrom based on IP /24 subnets are displayed in Fig. 6.Most Invites originated from France, followed by theUnited States.5. Discussion of ResultsThe date period within this experiment is 10 days.The experiment performed by Hoffstadt et al. (EssenProject) between late 2009 and early 2012experienced 47.5 million SIP messages [14].In contrast, our experiment has experienced justunder 19 million SIP messages in only 10 days. Thisgives a mean average of 1.9 million messages per day.In 1 day alone (3rd October), over 7.2 million SIPmessages were received which is over 15% of whatEssen witnessed across multiple locations combinedover a 2-year period.Based on our results, if this experiment ran for thesame time period to that of the Essen experiment, it isexpected to result in over 1.4 billion SIP messages.This represents a rate of attack 30 times moreaggressive than in the Essen experiment. This viewreinforces the trend observed by the CFCA that PBXhacking has increased significantly in recent years [3].When a dictionary attack was being performed, theresources being consumed by the PBX weresignificant which would question whether a negativeimpact of service would be experienced by a businessuser or owner of a PBX that was being attacked. Alarge amount of upload bandwidth was consumed bya rate of approximately 600Kbps.For businesses that do not have a leased line andrely on ADSL, this could have significantconsequences by reducing the quality of calls due tobandwidth constraints imposed by technologies andproviders.827

International Journal for Information Security Research (IJISR), Volume 9, Issue 1, March 2019In addition, 30% of the CPU was being consumedby these attacks which could limit the call capacity ofthe PBX where both would have the symptoms ofaudio breaks in the calls, also known as choppy calls.A final consequence on the bandwidth being usedin these attacks are where businesses pay per GB ofdata transferred or have a monthly bandwidth quota.It is still common among business ADSL lines to havedata quotas applied to a broadband line withadditional fees applying for exceeding this threshold.The large CPU resources being consumed by theseattacks can be explained by the multiple processes thatoccur when a SIP message is received. Asterisk wouldreceive a message and if a Register or Invite wasreceived Asterisk would have to perform an SQLlookup in a database (to check credentials) andprovide a reply while at the same time writing eventsto a log. Many PBX systems do not have an SSD, buta hard disk. If a basic PBX had to deal with thisvolume of connection attempts, then the PBX wouldmost likely become overloaded or not be usable by abusiness due to IO constraints.Unlike previous similar experiments, little to noOptions were received. This could be because we havenot specifically checked whether the researchconclusion from Essen are still correct (i.e. the PBX iscontinually being sent Option SIP messages until thePBX responds and after responding, few furtherOptions will be received).As from previous studies from over 5 years ago[14,15], several user agents are still being used suchas friendly-scanner and user agents with variousrandom characters. Of interest though are user agentswhich give the impression of real, widely-useddevices such as Avaya, Cisco-SIPGateway andLinksys-SPA942. This would suggest that attackersare either spoofing these user agent names orhardware has been compromised into some form ofbotnet. This hardware is usually expensive at thehigher end of the market. The significant attack on the3rd October appeared to originate from an attackerusing MGKsip Release. This demonstrates that theapproach taken during these attacks today havedeveloped in sophistication compared to that seen inprevious research [14,15].Unlike other documented experiments, an actualPBX was used, although the SIP process wouldremain the same, the metadata exchanged wouldcontain information regarding the PBX which wouldgive information about the software being used. Thiswould lead an attacker to believe the system isgenuine and a production system. This may partiallyexplain why this experiment witnessed significantlymore attacks.Hoffstadt et al. concluded that not all attackerswere involved in various stages of attack andpotentially shared information with other attackers.Based on anecdotal evidence physical hardwareappearing to be involved in attacks, this couldCopyright 2019, Infonomics Societyreinforce the idea that data is shared but via a botnetof infected machines. This concept is furtherdiscussed below.During the Honeypot period, only a very smallpercentage ( 0.02%) of attempts successfullyregistered to any of the PBX extensions. Although onmost days, when an attack was under way, differentcredentials were being attempted. On the 3rd October,all 7.2 million attempts used the same details. Thiscould be explained by a botnet which is automatedand, in this case, misconfigured, bu

used to register a handset to a PBX. IP authentication requires a PBX to have a dedicated public IP where the PBX is public facing. For the scope of this article, it is usually at this interface that attacks from the Internet will occur. 2.2. Private Branch Exchange (PBX) A PBX is a phone system that is usually located