×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

SIP scans and ghost calls

SIP scans and ghost calls

SIP scans and ghost calls

(OP)
A customer with a BCM50 R6 and SIP trunks experienced a weird problem yesterday. He was receiving ghost calls on his SIP trunks with a caller ID of 1002 or 1004. All the ghost calls were ringing only his phone (2221) which is the prime set. I theorized that the scans were causing the SIP trunks to receive digits not programmed to any target lines, so these "calls" were all being redirected to the prime set. I had him blank out the prime set for each of his SIP trunks (001-004) and that stopped the ghost ringing. The customer looked at his router logs and saw an IP address in France was banging away on ports in the 5000-5100 range obviously looking for a way in to hack the SIP trunks. I suggested port forwarding all of the 5000 range ports except for 5060 and 5061 to an unused IP address on his LAN, for example 10.10.10.254. That caused the scans to quickly drop instead of causing the SIP trunks to hang for about 30 seconds before dropping. I also had him verify that SIP ALG was disabled.

My feeling is that these steps shouldn't be necessary if the router had a better firewall. My Netgear router drops all ports scans like this. I just tested the range between 5000-5100 on my own router and it dropped the scans on every port. I have never experienced any ghost ringing on my SIP trunks aside from the time I was doing some testing and briefly put my BCM50 in the Netgear's DMZ. I then got the same ghost ringing and weird caller ID of 1002 and 1004.

Aside from getting a router with a more robust firewall, what other suggestions do you have to keep the VOIP hackers out of one's BCM?

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952

RE: SIP scans and ghost calls

Which router model do they have?

I can think of some things to try
-Enable SPI under Firewalls settings on the Router
-Change/Renew Public IP
-Restrict others or Allow only SIP carriers address
-Disable UPnP





________________________________________

Add me to LinkedIN


=----(((((((((()----=
www.curlycord.com
Toronto, CAN

RE: SIP scans and ghost calls

(OP)
I don't know the router model. It was getting late, so we will go into more detail when we talk today. He has a static IP address and wants to leave it that way. I've been reading this morning about ways to only allow SIP packets that come from the carrier's IP addresses. UPnP was already disabled.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952

RE: SIP scans and ghost calls

Look up sipvicious. I've seen it happen to an IP office using the monitor tool. We set up firewall rules to only allow port 5060 traffic to the voip sip trunk provider and drop all others. We also only allow the specific UDP ports to the voip provider. That stopped it.

RE: SIP scans and ghost calls

In a nut shell sipvicious tries to make a call, when it does it then grabs your user name then the other part of it tries to hack the password of that user name.
Mine in the past had always dropped right away, maybe because it uses 2 digit Dest codes and it tries only 1.
I have had all 12 Gateway channels tied up several times.

Right now I am on D-Link AC1900 DIR-878 Router with only port 7000 forwarded(for remote IP set) and both UPnP & SIP ALG are Disabled.





________________________________________

Add me to LinkedIN


=----(((((((((()----=
www.curlycord.com
Toronto, CAN

RE: SIP scans and ghost calls

(OP)
The only ports I have forwarded are 7000-7002 and the RTP (audio) ports for remote IP phones. UPnP and SIP ALG are disabled. The only time I ever saw my IP trunks tied up was in my early and uninformed days when I mistakenly had port 5060 forwarded to the BCM. Talk about a shitstorm! These creeps find you fast.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952

RE: SIP scans and ghost calls

Interesting topic this is becoming. Can I jump in please to say that a few days ago I received a call via one of my SIP trunks that had a caller display of sipvicious, but i don't have port 5060 forwarded to the BCM system.

I do see on the BCM monitor random blank calls every 30 seconds and this is usually across the 1st 3 SIP trunks. I'm keeping a close eye on this through the CDR live tool.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.com
linkedin

RE: SIP scans and ghost calls

(OP)
I haven't been seeing these random "calls" on my SIP trunks, but I'm keeping a close watch. Nothing odd shows in the CDR log or BCM Monitor. It seems every router treats these SIP requests differently. I'm going to try to look into sipvicious more closely today.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952

RE: SIP scans and ghost calls

(OP)
I have another SIP problem I've encountered the past couple of days. Random SIP trunk calls have been ringing my failover route (cell phone) without ever ringing my BCM50. After fighting with this all day, and even replacing the BCM50 and restoring a backup, I still had the same problem. I finally resorted to forwarding port 5060 to my BCM50 and calls rang in normally. Obviously I don't want to leave my system like this, but it did verify that it's a router issue. The firmware was updated on the router last week, so I started scouring the settings in my Netgear. I enabled SIP ALG, but no joy. I then saw a setting for secure NAT or open NAT. I changed it to open NAT and calls started ringing in normally. I'm not even sure what open NAT means, so I'm keeping a close eye on my router logs, and BCM50 alarm logs.

UPDATE: Open NAT option did not fix my problem. The only thing that works is forwarding port 5060 to the BCM50. The router is on a schedule that blocks this port (and most others) while I am asleep, but I'd like a more permanent solution. I'm looking into adding my SIP provider's IP addresses into iptables of the BCM50. My project for tomorrow.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952

RE: SIP scans and ghost calls

Where is your fail over programmed?
Mine is controlled by my profile at my carriers website.

If for some reason the BCM cannot register or the carrier has issues then the fail over is activated.

Did you prove no registration or carrier issues?

----
Isn't semi retirement wonderful?
I also replaced my BCM today and was at it all day but to fix my old Scheduled Pages issue.....Callpilot corruption or one of it's settings interfering but I am getting close.

________________________________________

Add me to LinkedIN


=----(((((((((()----=
www.curlycord.com
Toronto, CAN

RE: SIP scans and ghost calls

(OP)
The failover is programmed with my SIP provider. I never lose registration, but now incoming calls can't cross the NAT in my router after working almost flawlessly for 3 years. As I figured, once I opened up port 5060 I see the thieving hackers probing my BCM50. I think I can use iptables in the BCM50 to only allow SIP requests from my provider. I'll know more tomorrow. I also might try flashing back the firmware in my router to a version that didn't do this.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952

RE: SIP scans and ghost calls

Are you currently on the 2 router setup?

________________________________________

Add me to LinkedIN


=----(((((((((()----=
www.curlycord.com
Toronto, CAN

RE: SIP scans and ghost calls

I was wondering of perhaps that both were doing NAT when one shouldn't.
Is NAT omitted for one that is in DMZ?

Since you are forwarding 5060, try forwarding it to an unused IP address in your range.

________________________________________

Add me to LinkedIN


=----(((((((((()----=
www.curlycord.com
Toronto, CAN

RE: SIP scans and ghost calls

(OP)
It's not doing double NAT, if that's what you're asking. I've never had to forward port 5060 to make my SIP trunks work until now. I did roll back the firmware in the router and everything seemed to be working normally again without having port 5060 forwarded. When I got up yesterday I found the router had updated its firmware even though I had auto updates turned off. But my SIP trunks still worked fine all day. I had reported a couple of failed calls to the SIP provider and I suspect they tweaked something on their end without telling me. Maybe a failover timer or something different in the SIP headers. We'll see.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952

RE: SIP scans and ghost calls

(OP)
Still working OK this morning. I did have a hacker flooding my BCM50 with SIP requests yesterday tying up all my SIP gateways at one point. I captured their IP address and reported them to their ISP, for what it's worth. Then I rebooted the router in order to grab a new public IP address. My provider allows using alternate SIP ports, so I changed mine and all is quiet ever since. I'm looking into getting a hardware firewall that will let me allow ONLY my SIP provider's IP addresses through port 5060. Any suggestions would be appreciated.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952

RE: SIP scans and ghost calls

(OP)
Just an update. Still fun and games with the SIP hackers. I checked into using the iptables firewall built-in to the BCM50, but all of the kernel modules are missing. Basically Nortel disabled it so as to save a few bucks on maintaining and updating the software, I'm guessing. Since the firewall in my Netgear router is severely lacking, my plan is to setup a Raspberry Pi as a firewall/router to filter traffic in front of the BCM50. Using iptables in the Pi I can filter incoming traffic down to the packet level. Also, I can allow only SIP connections coming from my SIP provider's IP addresses. Be forewarned that consumer grade routers are insufficient in keeping the SIP hackers out of your BCM's.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952

RE: SIP scans and ghost calls

I would have consider this to be a poor show on Avaya's part when they made SIP trunking more accessible at release 6.0 and allowed the remote worker feature.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.com
linkedin

RE: SIP scans and ghost calls

(OP)
Agreed. They left it up to the customer to secure the BCM when it is exposed to the Internet. Enabling even a scaled down version of iptables would have sufficed, although creating a GUI for it would be a formidable undertaking.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952

RE: SIP scans and ghost calls

I have been racking my brain for week on this as to what I did to stop it but cannot recall....something on the BCM or Router or maybe both.

________________________________________

Add me to LinkedIN


=----(((((((((()----=
www.curlycord.com
Toronto, CAN

RE: SIP scans and ghost calls

(OP)
curlycord, I've got my new Pi with a USB to ethernet dongle to add a second ethernet port. I struggled this morning figuring out how to bridge the 2 ports. I had to download bridging software for the Pi and edit the network interfaces config file to create the bridge. Finally I got it going. I have a SIP phone plugged into the dongle and it was able to find my other Pi running the Aterisk server and register. Now it's just a matter of configuring a few rules in iptables to block the SIP hackers and only allow the SIP providers' IP addresses to pass through the firewall. Then I'll plug my BCM50 in and see if it plays nicely.

I did tweak a setting in my BCM50 over the weekend for NAT pinhole maintenance. I think this sends out a signal every couple of minutes to tell the router to keep listening on port 5060 for incoming requests. I haven't had any failovers to my cell phone since I did that. I'd prefer not to port forward 5060 if at all possible.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952

RE: SIP scans and ghost calls

(OP)
I finally had a breakthrough today. The iptables firewall is a bear to understand, and even more so when it involves bridging the ethernet ports. Some nice fellow posted a flowchart online showing how data packets traverse the iptables chains. That gave me a basis to map the path through the system and visualize exactly what was going on. I finally got it going by programming a new chain and then adding just a few rules that allow my SIP providers through, but drop all other connection attempts to the SIP port. I'll probably enhance the rules in time, but it's working well right now.

Brian Cox
Georgia Telephone
http://Georgia-Telephone.com
http://www.linkedin.com/in/briancox1952

RE: SIP scans and ghost calls

Hacker!
pc2

thumbsup2

________________________________________

Add me to LinkedIN


=----(((((((((()----=
www.curlycord.com
Toronto, CAN

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close