Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SIP scans and ghost calls

Status
Not open for further replies.
exsmogger

exsmogger

Vendor
Oct 23, 2002
5,243
US
A customer with a BCM50 R6 and SIP trunks experienced a weird problem yesterday. He was receiving ghost calls on his SIP trunks with a caller ID of 1002 or 1004. All the ghost calls were ringing only his phone (2221) which is the prime set. I theorized that the scans were causing the SIP trunks to receive digits not programmed to any target lines, so these "calls" were all being redirected to the prime set. I had him blank out the prime set for each of his SIP trunks (001-004) and that stopped the ghost ringing. The customer looked at his router logs and saw an IP address in France was banging away on ports in the 5000-5100 range obviously looking for a way in to hack the SIP trunks. I suggested port forwarding all of the 5000 range ports except for 5060 and 5061 to an unused IP address on his LAN, for example 10.10.10.254. That caused the scans to quickly drop instead of causing the SIP trunks to hang for about 30 seconds before dropping. I also had him verify that SIP ALG was disabled.

My feeling is that these steps shouldn't be necessary if the router had a better firewall. My Netgear router drops all ports scans like this. I just tested the range between 5000-5100 on my own router and it dropped the scans on every port. I have never experienced any ghost ringing on my SIP trunks aside from the time I was doing some testing and briefly put my BCM50 in the Netgear's DMZ. I then got the same ghost ringing and weird caller ID of 1002 and 1004.

Aside from getting a router with a more robust firewall, what other suggestions do you have to keep the VOIP hackers out of one's BCM?

Brian Cox
Georgia Telephone
 
Sort by date Sort by votes
I have been racking my brain for week on this as to what I did to stop it but cannot recall....something on the BCM or Router or maybe both.

________________________________________

Add me to LinkedIN

small-logo-sig.png

=----(((((((((()----=
Toronto, CAN
 
Upvote 0 Downvote
curlycord, I've got my new Pi with a USB to ethernet dongle to add a second ethernet port. I struggled this morning figuring out how to bridge the 2 ports. I had to download bridging software for the Pi and edit the network interfaces config file to create the bridge. Finally I got it going. I have a SIP phone plugged into the dongle and it was able to find my other Pi running the Aterisk server and register. Now it's just a matter of configuring a few rules in iptables to block the SIP hackers and only allow the SIP providers' IP addresses to pass through the firewall. Then I'll plug my BCM50 in and see if it plays nicely.

I did tweak a setting in my BCM50 over the weekend for NAT pinhole maintenance. I think this sends out a signal every couple of minutes to tell the router to keep listening on port 5060 for incoming requests. I haven't had any failovers to my cell phone since I did that. I'd prefer not to port forward 5060 if at all possible.

Brian Cox
Georgia Telephone
 
Upvote 0 Downvote
I finally had a breakthrough today. The iptables firewall is a bear to understand, and even more so when it involves bridging the ethernet ports. Some nice fellow posted a flowchart online showing how data packets traverse the iptables chains. That gave me a basis to map the path through the system and visualize exactly what was going on. I finally got it going by programming a new chain and then adding just a few rules that allow my SIP providers through, but drop all other connection attempts to the SIP port. I'll probably enhance the rules in time, but it's working well right now.

Brian Cox
Georgia Telephone
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AShammah
  • Question
BCM50/FreePBX integration Sip or H.323
Replies
0
Views
85
AShammah
AShammah
MoJHK
  • Locked
  • Question
Emetrotel SIP trunk to IPO500V2
Replies
1
Views
122
curlycord
curlycord
2dfx
  • Locked
  • Question
SIP Trunks on Digital Sets? 4
Replies
18
Views
296
curlycord
curlycord
AShammah
  • Locked
  • Question
BCM50 Voip.ms sip trunk & call route setup 1
Replies
10
Views
203
AShammah
AShammah
Bhavin123
  • Locked
  • Question
BCM450 SIP to PRI gateway (ISDN30) 2
Replies
15
Views
301
snowman50
snowman50

Part and Inventory Search

Sponsor

Back
Top