@Ambro wrote:
Hello,
I'm new to the FreePBX community and just recently configured my own server and in testing IVR behaviors, I noticed something that I couldn't find an immediate way to address. The issue I'm referring to is in regards to how a robot or human can essentially hunt for valid extensions by performing a timing based bruteforce.
This is how it operates. You have an IVR setup that will prompt a user for a valid extension before forwarding the call to the appropriate party. When the user presses keys that are not associated with a valid extension prefix, they are prompted with an almost instantaneous message, "Invalid entry, please try again." Now if the caller starts cycling through the numbers, eventually they will hit a number that will introduce a slight 2-3 second pause before reporting back that the entry was invalid. This inherit nature of how the IVR system operates makes it vulnerable to timing analysis. This probing provides the attacker the first valid number for the extension and is then repeated for the other subsequent numbers and eventually the attacker will land at a valid extension. I realize that this is likely not new news to anyone but wanted to reach out to the community to determine whether or not there was a way to mitigate this. I'm also aware that eventually, trying all of the available numbers, (4) digits in my case will eventually lead to a valid extension that rings but using this method above will allow anyone the ability to discover valid extensions much faster than a traditional bruteforce.
Has anyone else come across this and if so, what have you done to mitigate this?
Thank you.
Posts: 2
Participants: 2