Dozens of Allworx systems froze last night

[kellenw]

Same thing happened to our 6x in Stealth Mode on April 8th sometime between 1:30-2:30AM CST. I had to go into the office and power cycle the system as I was unable to get into it remotely or through our terminal server on the office LAN. My first power cycle did not bring it back up, but a second one did. I stayed at the office until about 6:00AM to see if it would happen again, but it didn't... and hasn't happened again since.

Anyone have any more info about what the heck happened? Crazy.

[lpie]

Allworx has issued a security bulletin in the allworx portal, they are working on a patch.

I've been monitoring the systems that were affected and they are still being targeted by the same attack as they were before.

[kellenw]

Hi lpie,

Thanks for the update. Any particular ports or services the attack is targeting?

[doom1701]

We've been taken down 3 times in the past month; didn't really start putting two and two together until today's outage and we realized it was most likely a DoS attack. We are rolling out the latest patch on Wednesday to all 4 of our systems, but I want to do a little preventative work as well. If anyone is aware of what ports are being targeted, I'd appreciate reviewing the list. I've read the post on the forum regarding SMTP attacks, and we're investigating turning that off, since we don't do any email delivery into the systems, only outbound.

[lpie]

Hi lpie,

Thanks for the update. Any particular ports or services the attack is targeting?

The system events and security bulletin does not show any particular ports which sucks, but allworx has released software 7.6 and it appears as the software can be downloaded for the servers that do not have the software upgrade license.

Release 7.6 Software increases the geographic reach of Allworx products by adding flexibility to its customizable dial plan and improved Session Initiation Protocol (SIP) messaging and web administration. Release 7.6 continues to show how Allworx is the easiest phone system in the marketplace to program and manage.

[ChrisHarvey]

Interestingly enough our 6X went down on the April 17th, which we simply thought it was hung but after every reboot it would run for a few minutes before hanging again. It seemed to last 2-3 hours before it mysteriously stopped happening, I did notice the IP that seemed to be hitting the 6x was originating from Amsterdam. We have had other unexplainable AllWorx issues such as this with customers, has anyone confirmed this as a DoS attack on the carriers SIP network or something else?

[lpie]

Interestingly enough our 6X went down on the April 17th, which we simply thought it was hung but after every reboot it would run for a few minutes before hanging again. It seemed to last 2-3 hours before it mysteriously stopped happening, I did notice the IP that seemed to be hitting the 6x was originating from Amsterdam. We have had other unexplainable AllWorx issues such as this with customers, has anyone confirmed this as a DoS attack on the carriers SIP network or something else?

I do not think this is a Carrier specific attack, i believe it is directed towards allworx systems simply because our customers have lost phones only, data side was untouched and working. Allworx is not going to admit to it for obvious reasons, they will release fixes and patches that will block future attacks. When i contacted our channel manager from allworx he was playing stupid and telling me that this is an ISP DDoS.
Other systems that we sell and install already have such measures but none of them are perfect.

To resolve these DDoS attacks i have implemented a small firewall before allworx WAN connection and all of the issues went away.

[lpie]

FYI from Allworx

New Server Software Now Available
7.3.16.4, 7.4.19.2, 7.5.15.2 and 7.6.6.5

Updated software releases 7.4.19.2, 7.5.15.2 and 7.6.6.5 are available on the portal for immediate download. This update contains important security enhancements relating to security advisory bulletin: 20140415-Malformed-TCP security advisory. Release 7.4.19.2 DOES NOT require a software upgrade license key to upgrade. 7.3.16.4 is also available. 7.3.16.4 also does not require an upgrade license, and is specifically designed to allow a server to upgrade to 7.3.16.4, and once upgraded to allow a further upgrade to 7.4.19.2.

Release 7.6.6.5 offers an additional enhancement where handset preference groups can be created to allow LCD phone prompts to be displayed in French or Spanish. This feature is supported using the existing dual language key.

Among the many enhancements offered to customers with 7.4.19.2 is the public safety enhancement of having the ability to directly dial 911 from any handset without having to dial a prefix digit of “9”. Allworx strongly encourages all customers to take advantage of this opportunity to upgrade to 7.4.19.2 at this time to enable this important safety-related feature.