dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
9817
share rss forum feed

idbit

join:2008-12-04
Florida

Receiving calls from name/number 100 that don't get logged

Every now and then, I'll receive a call on my 2 month old VOIP account with voip.ms. The caller ID will show name and number of 100. The weird thing is that the phone just rings and never stops ringing. Normally, the voicemail will pickup after 20 seconds, as I have it set in my voip.ms setup. Busy, Unreachable, No Answer - all go to voicemail. But these calls never go to voicemail. If I wasn't there to hit the Reject button, it would ring all day. When I do answer, there is nothing on the other end. You can normally tell if someone is sitting there silent. This isn't like that. It's just a blank phone call.

The other weird thing is that the calls don't show up in my voip.ms call logs. All of my other calls are in the logs - whether answered or unanswered. But the calls from 100 don't appear at all. Now I'm getting calls from number 99 as well - cnam says Mylo. These calls from 99 do the same thing - ring forever until I hit Reject, never appear in my call logs.

Any ideas what this could be?

Thanks.
IB


Stewart

join:2005-07-13
kudos:19

1 recommendation

Those calls are sent directly to your SIP device's IP address, from automated scanning tools, by hackers looking for PBX systems to break into. They do not pass through VoIP.ms at all.

You can get rid of nearly all of them by changing the local SIP port on your device from 5060 to something else, e.g. 5070. If you had to forward UDP port 5060 in your router, forward the new port instead.

Note that you are not changing the port to which you are connecting on the VoIP.ms server, just the port on which your device is listening. If you can't find the setting for that, post what kind of IP phone or ATA you are using.



cb14

join:2013-02-04
Miami Beach, FL

1 recommendation

reply to idbit

There has been an extensive discussion of this issue on Obitalk forum.


idbit

join:2008-12-04
Florida
reply to Stewart

said by Stewart:

Those calls are sent directly to your SIP device's IP address, from automated scanning tools, by hackers looking for PBX systems to break into. They do not pass through VoIP.ms at all.

You can get rid of nearly all of them by changing the local SIP port on your device from 5060 to something else, e.g. 5070. If you had to forward UDP port 5060 in your router, forward the new port instead.

Note that you are not changing the port to which you are connecting on the VoIP.ms server, just the port on which your device is listening. If you can't find the setting for that, post what kind of IP phone or ATA you are using.

Thanks Stewart. I have a Yealink phone. It has 3 different items that are set at port 5060: SIP Server, Outbound Proxy Server, Backup Outbound Proxy Server. SIP server setting says "SIP Server address provided by ISP". So I can just change that to anything I want? FWIW, the Yealink is connected straight to cable modem and I'm using the Yealink's router to feed my computer. I want to make sure I don't inteterfere with that.

I wonder how they found out my IP was feeding a SIP phone? Plus if there is anything they can really do? I really don't mind the calls. I can just put them on my blacklist and I won't hear the phone ring. Plus I won't get charged since they don't go thru voip.ms. Is there any threat of them hacking into my SIP phone?

idbit

join:2008-12-04
Florida
reply to cb14

said by cb14:

There has been an extensive discussion of this issue on Obitalk forum.

Thanks CB14. Here's a thread I found there: »www.obitalk.com/forum/index.php?topic=4067.0

conwaytwt
Premium
join:2004-04-09
Conway, AR
Reviews:
·Conway Corp.

1 recommendation

reply to idbit

said by idbit:

I won't get charged since they don't go thru voip.ms. Is there any threat of them hacking into my SIP phone?

I would think it is risky if your SIP phone's administrative interface is at all "visible" to the outside world.

Many SIP devices have a way to "lock" onto a particular IP address and ignore the random SIP call from unknown IP addresses, so unless you have a reason to WANT folks to connect directly to your phone I would turn that feature on, and/or tighten down the setup in your router.

If you have configured your phone (or anything else in your network) in a DMZ or otherwise opened your network to the unfiltered Internet, then it is inherently open to abuse from the outside.

idbit

join:2008-12-04
Florida

said by conwaytwt:

said by idbit:

I won't get charged since they don't go thru voip.ms. Is there any threat of them hacking into my SIP phone?

I would think it is risky if your SIP phone's administrative interface is at all "visible" to the outside world.

If you have configured your phone (or anything else in your network) in a DMZ or otherwise opened your network to the unfiltered Internet, then it is inherently open to abuse from the outside.

Well when I run a Shieldsup! scan, all ports are closed. But if I have the phone's Webserver enabled, then ports 80 (http) and 443 (https) stay wide open. That's why I keep the Webserver disabled and just use the phone for config settings.

said by conwaytwt:

Many SIP devices have a way to "lock" onto a particular IP address and ignore the random SIP call from unknown IP addresses, so unless you have a reason to WANT folks to connect directly to your phone I would turn that feature on, and/or tighten down the setup in your router.

Man, there are so many things you can set on this phone. I have no idea what it's called. I think I should be okay though if I just keep the ports 80 and 443 closed. Thanks!

Stewart

join:2005-07-13
kudos:19
reply to idbit

I believe that Accounts --> advanced --> Local SIP Port is the setting to change on a Yealink.



Trev
IP Telephony Addict
Premium
join:2009-06-29
Victoria, BC
kudos:5
reply to idbit

said by idbit:

Well when I run a Shieldsup! scan, all ports are closed. But if I have the phone's Webserver enabled, then ports 80 (http) and 443 (https) stay wide open. That's why I keep the Webserver disabled and just use the phone for config settings.

Sounds to me like you put your phone in the DMZ. That's a very bad idea, for exactly the reason you just stated.
--
I represent AcroVoice, a full service Canadian VoIP Provider.
Buy your Obihai ATA shipped from within Canada.

grand total

join:2005-10-26
Mississauga
kudos:2
Reviews:
·Anveo

said by Trev:

Sounds to me like you put your phone in the DMZ. That's a very bad idea, for exactly the reason you just stated.

The OP stated that the phone is connected directly to his modem. He uses the router built in to the phone to feed his local network.

@idbit - If I were you I would buy a decent VoIP compatible router and connect that to your modem, then connect the phone and your computer to the router.
--
DPC3825 (bridged mode) - WRT610N + Tomato - Panasonic KX-TGP500 - Asterisk 11.0.2 on Virtual Server
Anveo - FreePhoneLine - Voxbeam - Numbergroup - Callcentric - VoIP.MS - Localphone - UKDDI


lacibaci

join:2000-04-10
Export, PA
reply to idbit

You can help by replying to the following topic:

OBi, please help us defeat SIP scanners/spammers
»www.obitalk.com/forum/index.php?topic=4873.0


idbit

join:2008-12-04
Florida
reply to grand total

said by grand total:

said by Trev:

Sounds to me like you put your phone in the DMZ. That's a very bad idea, for exactly the reason you just stated.

The OP stated that the phone is connected directly to his modem. He uses the router built in to the phone to feed his local network.

@idbit - If I were you I would buy a decent VoIP compatible router and connect that to your modem, then connect the phone and your computer to the router.

Yeah, that's what I need to do. I guess it doesn't pay to be cheap.

Here's something I never thought of. Does the Yealink sit behind its own router? It seems like it would have to, right? Dang, I can't believe I never even thought about that until now.


StillLearn
Premium
join:2002-03-21
Streamwood, IL
Reviews:
·AT&T Midwest

said by idbit:

said by grand total:

@idbit - If I were you I would buy a decent VoIP compatible router and connect that to your modem, then connect the phone and your computer to the router.

Yeah, that's what I need to do. I guess it doesn't pay to be cheap.

I would expect that the reason that most people who would use a router built into a phone or OBi202 would be to give the SIP traffic first dibs on the bandwidth.

I have read this topic with interest and partial understanding. I work behind a NAT router.
•Does that protect me from SIP phone port scanners and scammers?
•How do the legitimate providers connect to me to let me know of an incoming call?

grand total

join:2005-10-26
Mississauga
kudos:2
Reviews:
·Anveo

said by StillLearn:

•Does that protect me from SIP phone port scanners and scammers?
•How do the legitimate providers connect to me to let me know of an incoming call?

Yes, if you do not forward ports to your device you are protected from port scanners.

Your device registers with your provider and in doing so tells your provider where to send your calls. There is a second part to this, you must also send small packets frequently to your provider to keep a temporary hole in your firewall open, so that when your provider has a call for you it is able to reach your device and is not blocked by your firewall.
--
DPC3825 (bridged mode) - WRT610N + Tomato - Panasonic KX-TGP500 - Asterisk 1.8.10 on Virtual Server
Anveo - FreePhoneLine - Voxbeam - Numbergroup - Callcentric - VoIP.MS - Localphone - UKDDI

zapattack

join:2012-07-02
CANADA
reply to idbit

Voip.MS supports ports 26999 and 36999 for Proxy Server,Outbound Proxy and Registrar Server. They do not have to all match.


Stewart

join:2005-07-13
kudos:19

said by zapattack:

Voip.MS supports ports 26999 and 36999 for Proxy Server,Outbound Proxy and Registrar Server. They do not have to all match.

That is a way to work around buggy routers, firewall and ISP restrictions, etc., but is not relevant to this thread.

The security of the user's device depends only on the local port number at his end, and the extent that port is exposed by his router / firewall.


StillLearn
Premium
join:2002-03-21
Streamwood, IL
Reviews:
·AT&T Midwest
reply to grand total

said by grand total:

Yes, if you do not forward ports to your device you are protected from port scanners.

Thanks. That's a relief. And thanks for the other info too.

zapattack

join:2012-07-02
CANADA
reply to Stewart

If scanners hit 5060 and you do not use local port 5060, then how can you be scanned?


grand total

join:2005-10-26
Mississauga
kudos:2
Reviews:
·Anveo

said by zapattack:

If scanners hit 5060 and you do not use local port 5060, then how can you be scanned?

You can't. But, I suppose, if enough people stop using 5060 then the scanners will start looking for other ports.

lilarry
Premium
join:2010-04-06
reply to idbit

Grandstream has recommended settings to eliminate this problem. They seem to be working well with Voip.ms. Depending on the device they include "Check SIP User ID for INVITE", "Validate Incoming Messages" and "Allow Incoming SIP messages from SIP Proxy Only". Your device may have similar settings. Look here (and scroll down to bottom of page): »www.grandstream.com/support/faq/···shooting



StillLearn
Premium
join:2002-03-21
Streamwood, IL
Reviews:
·AT&T Midwest

1 edit
reply to StillLearn

said by StillLearn:

said by grand total:

Yes, if you do not forward ports to your device you are protected from port scanners.

Thanks. That's a relief. And thanks for the other info too.

It turns out that being behind a NAT router without port forwarding or DMZ is not sufficient to stop the probe from ringing your box. I have just implemented one of the other measures.

grand total

join:2005-10-26
Mississauga
kudos:2
Reviews:
·Anveo

said by StillLearn:

It turns out that being behind a NAT router without port forwarding or DMZ is not sufficient to stop the probe from ringing your box. I have just implemented one of the other measures.

Yes, I recently learnt that's true for some routers. Sorry for my misleading answer.
--
DPC3825 (bridge mode) - WRT610N + Tomato - Panasonic KX-TGP500 - Asterisk 1.8.10.1 on a Virtual Server
Anveo - FreePhoneLine - Voxbeam - Numbergroup - Callcentric - VoIP.ms - Localphone - UKDDI

Mango
What router are you using?

join:2008-12-25
www.toao.net
kudos:11

StillLearn's router must use Full-cone NAT, correct?

Is there an easy way to test what type of NAT a router uses?



horacebork
Premium
join:2011-03-17
09001
Reviews:
·voip.ms
·Time Warner Cable
reply to idbit

I wonder how they found out my IP was feeding a SIP phone? ... Plus if there is anything they can really do?

one thing i was surprised to discover early on was exactly how many times my local ip address was being 'hit'. before knowing much about security, i mistakenly thought that since my ip address was 'private' and not static, it would not be vulnerable. nothing could be further from the truth.

there are people out there that scan for ip addresses in numerical sequence. thus *any* ip address active on the internet is accessible. when they get a hit on such an ip address, they start scanning for ports. when they have a 'live one', they then start exploiting that opening for any possible weakness.

to answer your second question: strong firewall or other equivalent countermeasure that actively deflects such intrusions.
--
".. the sofa has just vanished." ".. well, that's one mystery less."

garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
·callwithus
reply to idbit

Most any router with no ports forwarded should be able to deflect an outside attack, as was found here: »El Cheapo Router Challenge

A technical "win" was declared, but it wasn't simple and no real threat occurred, »First winner - El Cheapo Router Challenge

If outsiders are still getting in I'd say it's not from scans, it's from their having recorded your IP as a good one, found back when you were forwarding ports. In any case, though, if you've closed the doors the router ought to keep them out.


zm

join:2001-06-19
canada

1 recommendation

reply to Mango

said by Mango:

StillLearn's router must use Full-cone NAT, correct?

Is there an easy way to test what type of NAT a router uses?

I would try to run sipsak against the router from another box on the intarwebs, and see if I got an answer; here's an example against atlanta.voip.ms:

$ sipsak -v -v -s sip:atlanta.voip.ms
No SRV record: _sip._tcp.atlanta.voip.ms
No SRV record: _sip._udp.atlanta.voip.ms
using A record: atlanta.voip.ms
warning: need raw socket (root privileges) to receive all ICMP errors

message received:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 127.0.1.1:46822;branch=z9hG4bK.1995f7ee;alias;received=**.***.**.**;rport=46398
From: sip:sipsak@127.0.1.1:46822;tag=62628a27
To: sip:atlanta.voip.ms;tag=as0c4c7c7c
Call-ID: 1650625063@127.0.1.1
CSeq: 1 OPTIONS
User-Agent: VoIPMS/SERAST
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Contact:
Accept: application/sdp
Content-Length: 0

** reply received after 42.774 ms **
SIP/2.0 200 OK
final received


phoneuser

join:2012-12-19
New York, NY

1 edit

1 recommendation

reply to Mango

said by Mango:

Is there an easy way to test what type of NAT a router uses?

Here are a few that I know about.

* NAT tester at »nattest.net.in.tum.de
Requires Java, unfortunately. I've found that the final test (UDP Reverse Traceroute) can hang. If it does, then you can abandon it and still see the results of the other tests by clicking on the "permanent link for your results" link. It also tests for the presence of SIP and FTP ALGs. For my router, it reports the correct results for the things that I know about by other means.

* On Mac OS X, launch the Messages application. Skip the setup if you're not a chatter. From the menu bar, go to Video > Connection Doctor. Choose "Network Status". "Router Type" should show the NAT type. I've found that sometimes it fails to detect the type the first time; toggling to "Statistics" and back to "Router Type" seems to fix this. It reports the correct NAT type for my router.

* I no longer have one of these ATAs, but I've used this before with success. Sipura/Linksys ATAs have a "STUN Test Enable" option (with the other "NAT Support" options) which, when set "on" and with STUN configured, will report the detected NAT type in the debug log on a coldstart of the device.

idbit

join:2008-12-04
Florida
reply to idbit

said by Stewart:

I believe that Accounts --> advanced --> Local SIP Port is the setting to change on a Yealink.

That is right. I finally did change the Local SIP Port there. At first, I wanted to see if I would get any more of these calls. I finally did two nights ago. This one was more persistent than ever. I couldn't make it stop ringing - even if I hit Reject, or answered it, or hung up. When I did answer it, I would hang back up and the phone would just continue ringing. I forgot what combination eventually got it to stop ringing. I just started pressing buttons - Hold, Transfer, until finally, it stopped ringing. So that was all it took for me at that point. I changed the Local SIP Port.

said by horacebork:

there are people out there that scan for ip addresses in numerical sequence. thus *any* ip address active on the internet is accessible. when they get a hit on such an ip address, they start scanning for ports. when they have a 'live one', they then start exploiting that opening for any possible weakness.

By a 'live one', do you mean an open port? Or does open/closed really even matter?


horacebork
Premium
join:2011-03-17
09001
Reviews:
·voip.ms
·Time Warner Cable

sorry, i'm a bit slangy. yes, a 'live one' would be an open port.
if an ip address has an open port, the potential to exploit it exists.
if there is no open port (no software listening on the other end) there is no exploit available (that i know of).

think of it as an actual wall (brick, steel whatever). if there isn't an opening (port) of some kind, you have to cut you way through.
(making your own way through would be outside the scope of the discussion, i suppose).

--
".. the sofa has just vanished." ".. well, that's one mystery less."


MZB

join:2010-11-25
Dunrobin, ON
reply to grand total

said by grand total:

You can't. But, I suppose, if enough people stop using 5060 then the scanners will start looking for other ports.

After I moved my ATA from 5060/1 to 5064/5 it took 2 years before I noticed another hack attempt. Needless to say, I've moved it now to a completely random port number which is quiet (according to the SANS Internet Storm Centre »isc.sans.edu/port.html?port=5060 ).