Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SIP scans and ghost calls

Status
Not open for further replies.
exsmogger

exsmogger

Vendor
Oct 23, 2002
5,243
US
A customer with a BCM50 R6 and SIP trunks experienced a weird problem yesterday. He was receiving ghost calls on his SIP trunks with a caller ID of 1002 or 1004. All the ghost calls were ringing only his phone (2221) which is the prime set. I theorized that the scans were causing the SIP trunks to receive digits not programmed to any target lines, so these "calls" were all being redirected to the prime set. I had him blank out the prime set for each of his SIP trunks (001-004) and that stopped the ghost ringing. The customer looked at his router logs and saw an IP address in France was banging away on ports in the 5000-5100 range obviously looking for a way in to hack the SIP trunks. I suggested port forwarding all of the 5000 range ports except for 5060 and 5061 to an unused IP address on his LAN, for example 10.10.10.254. That caused the scans to quickly drop instead of causing the SIP trunks to hang for about 30 seconds before dropping. I also had him verify that SIP ALG was disabled.

My feeling is that these steps shouldn't be necessary if the router had a better firewall. My Netgear router drops all ports scans like this. I just tested the range between 5000-5100 on my own router and it dropped the scans on every port. I have never experienced any ghost ringing on my SIP trunks aside from the time I was doing some testing and briefly put my BCM50 in the Netgear's DMZ. I then got the same ghost ringing and weird caller ID of 1002 and 1004.

Aside from getting a router with a more robust firewall, what other suggestions do you have to keep the VOIP hackers out of one's BCM?

Brian Cox
Georgia Telephone
 
Sort by date Sort by votes
Which router model do they have?

I can think of some things to try
-Enable SPI under Firewalls settings on the Router
-Change/Renew Public IP
-Restrict others or Allow only SIP carriers address
-Disable UPnP







________________________________________

Add me to LinkedIN

small-logo-sig.png

=----(((((((((()----=
Toronto, CAN
 
Upvote 0 Downvote
I don't know the router model. It was getting late, so we will go into more detail when we talk today. He has a static IP address and wants to leave it that way. I've been reading this morning about ways to only allow SIP packets that come from the carrier's IP addresses. UPnP was already disabled.

Brian Cox
Georgia Telephone
 
Upvote 0 Downvote
Look up sipvicious. I've seen it happen to an IP office using the monitor tool. We set up firewall rules to only allow port 5060 traffic to the voip sip trunk provider and drop all others. We also only allow the specific UDP ports to the voip provider. That stopped it.
 
Upvote 0 Downvote
In a nut shell sipvicious tries to make a call, when it does it then grabs your user name then the other part of it tries to hack the password of that user name.
Mine in the past had always dropped right away, maybe because it uses 2 digit Dest codes and it tries only 1.
I have had all 12 Gateway channels tied up several times.

Right now I am on D-Link AC1900 DIR-878 Router with only port 7000 forwarded(for remote IP set) and both UPnP & SIP ALG are Disabled.







________________________________________

Add me to LinkedIN

small-logo-sig.png

=----(((((((((()----=
Toronto, CAN
 
Upvote 0 Downvote
The only ports I have forwarded are 7000-7002 and the RTP (audio) ports for remote IP phones. UPnP and SIP ALG are disabled. The only time I ever saw my IP trunks tied up was in my early and uninformed days when I mistakenly had port 5060 forwarded to the BCM. Talk about a shitstorm! These creeps find you fast.

Brian Cox
Georgia Telephone
 
Upvote 0 Downvote
Interesting topic this is becoming. Can I jump in please to say that a few days ago I received a call via one of my SIP trunks that had a caller display of sipvicious, but i don't have port 5060 forwarded to the BCM system.

I do see on the BCM monitor random blank calls every 30 seconds and this is usually across the 1st 3 SIP trunks. I'm keeping a close eye on this through the CDR live tool.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
Upvote 0 Downvote
I haven't been seeing these random "calls" on my SIP trunks, but I'm keeping a close watch. Nothing odd shows in the CDR log or BCM Monitor. It seems every router treats these SIP requests differently. I'm going to try to look into sipvicious more closely today.

Brian Cox
Georgia Telephone
 
Upvote 0 Downvote
I have another SIP problem I've encountered the past couple of days. Random SIP trunk calls have been ringing my failover route (cell phone) without ever ringing my BCM50. After fighting with this all day, and even replacing the BCM50 and restoring a backup, I still had the same problem. I finally resorted to forwarding port 5060 to my BCM50 and calls rang in normally. Obviously I don't want to leave my system like this, but it did verify that it's a router issue. The firmware was updated on the router last week, so I started scouring the settings in my Netgear. I enabled SIP ALG, but no joy. I then saw a setting for secure NAT or open NAT. I changed it to open NAT and calls started ringing in normally. I'm not even sure what open NAT means, so I'm keeping a close eye on my router logs, and BCM50 alarm logs.

UPDATE: Open NAT option did not fix my problem. The only thing that works is forwarding port 5060 to the BCM50. The router is on a schedule that blocks this port (and most others) while I am asleep, but I'd like a more permanent solution. I'm looking into adding my SIP provider's IP addresses into iptables of the BCM50. My project for tomorrow.

Brian Cox
Georgia Telephone
 
Upvote 0 Downvote
Where is your fail over programmed?
Mine is controlled by my profile at my carriers website.

If for some reason the BCM cannot register or the carrier has issues then the fail over is activated.

Did you prove no registration or carrier issues?

----
Isn't semi retirement wonderful?
I also replaced my BCM today and was at it all day but to fix my old Scheduled Pages issue.....Callpilot corruption or one of it's settings interfering but I am getting close.

________________________________________

Add me to LinkedIN

small-logo-sig.png

=----(((((((((()----=
Toronto, CAN
 
Upvote 0 Downvote
The failover is programmed with my SIP provider. I never lose registration, but now incoming calls can't cross the NAT in my router after working almost flawlessly for 3 years. As I figured, once I opened up port 5060 I see the thieving hackers probing my BCM50. I think I can use iptables in the BCM50 to only allow SIP requests from my provider. I'll know more tomorrow. I also might try flashing back the firmware in my router to a version that didn't do this.

Brian Cox
Georgia Telephone
 
Upvote 0 Downvote
I was wondering of perhaps that both were doing NAT when one shouldn't.
Is NAT omitted for one that is in DMZ?

Since you are forwarding 5060, try forwarding it to an unused IP address in your range.


________________________________________

Add me to LinkedIN

small-logo-sig.png

=----(((((((((()----=
Toronto, CAN
 
Upvote 0 Downvote
It's not doing double NAT, if that's what you're asking. I've never had to forward port 5060 to make my SIP trunks work until now. I did roll back the firmware in the router and everything seemed to be working normally again without having port 5060 forwarded. When I got up yesterday I found the router had updated its firmware even though I had auto updates turned off. But my SIP trunks still worked fine all day. I had reported a couple of failed calls to the SIP provider and I suspect they tweaked something on their end without telling me. Maybe a failover timer or something different in the SIP headers. We'll see.

Brian Cox
Georgia Telephone
 
Upvote 0 Downvote
Still working OK this morning. I did have a hacker flooding my BCM50 with SIP requests yesterday tying up all my SIP gateways at one point. I captured their IP address and reported them to their ISP, for what it's worth. Then I rebooted the router in order to grab a new public IP address. My provider allows using alternate SIP ports, so I changed mine and all is quiet ever since. I'm looking into getting a hardware firewall that will let me allow ONLY my SIP provider's IP addresses through port 5060. Any suggestions would be appreciated.

Brian Cox
Georgia Telephone
 
Upvote 0 Downvote
Just an update. Still fun and games with the SIP hackers. I checked into using the iptables firewall built-in to the BCM50, but all of the kernel modules are missing. Basically Nortel disabled it so as to save a few bucks on maintaining and updating the software, I'm guessing. Since the firewall in my Netgear router is severely lacking, my plan is to setup a Raspberry Pi as a firewall/router to filter traffic in front of the BCM50. Using iptables in the Pi I can filter incoming traffic down to the packet level. Also, I can allow only SIP connections coming from my SIP provider's IP addresses. Be forewarned that consumer grade routers are insufficient in keeping the SIP hackers out of your BCM's.

Brian Cox
Georgia Telephone
 
Upvote 0 Downvote
I would have consider this to be a poor show on Avaya's part when they made SIP trunking more accessible at release 6.0 and allowed the remote worker feature.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = linkedin
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AShammah
  • Question
BCM50/FreePBX integration Sip or H.323
Replies
0
Views
85
AShammah
AShammah
MoJHK
  • Locked
  • Question
Emetrotel SIP trunk to IPO500V2
Replies
1
Views
122
curlycord
curlycord
2dfx
  • Locked
  • Question
SIP Trunks on Digital Sets? 4
Replies
18
Views
296
curlycord
curlycord
AShammah
  • Locked
  • Question
BCM50 Voip.ms sip trunk & call route setup 1
Replies
10
Views
203
AShammah
AShammah
Bhavin123
  • Locked
  • Question
BCM450 SIP to PRI gateway (ISDN30) 2
Replies
15
Views
301
snowman50
snowman50

Part and Inventory Search

Sponsor

Back
Top