dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
14689
share rss forum feed


StillLearn
Premium
join:2002-03-21
Streamwood, IL
Reviews:
·AT&T Midwest

1 edit
reply to StillLearn

Re: Receiving calls from name/number 100 that don't get logged

said by StillLearn:

said by grand total:

Yes, if you do not forward ports to your device you are protected from port scanners.

Thanks. That's a relief. And thanks for the other info too.

It turns out that being behind a NAT router without port forwarding or DMZ is not sufficient to stop the probe from ringing your box. I have just implemented one of the other measures.

grand total

join:2005-10-26
Mississauga
kudos:2
Reviews:
·Anveo
·VMedia

said by StillLearn:

It turns out that being behind a NAT router without port forwarding or DMZ is not sufficient to stop the probe from ringing your box. I have just implemented one of the other measures.

Yes, I recently learnt that's true for some routers. Sorry for my misleading answer.
--
DPC3825 (bridge mode) - WRT610N + Tomato - Panasonic KX-TGP500 - Asterisk 1.8.10.1 on a Virtual Server
Anveo - FreePhoneLine - Voxbeam - Numbergroup - Callcentric - VoIP.ms - Localphone - UKDDI

Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:12

StillLearn's router must use Full-cone NAT, correct?

Is there an easy way to test what type of NAT a router uses?



horacebork
Premium
join:2011-03-17
09001
Reviews:
·Time Warner Cable
·voip.ms
reply to idbit

I wonder how they found out my IP was feeding a SIP phone? ... Plus if there is anything they can really do?

one thing i was surprised to discover early on was exactly how many times my local ip address was being 'hit'. before knowing much about security, i mistakenly thought that since my ip address was 'private' and not static, it would not be vulnerable. nothing could be further from the truth.

there are people out there that scan for ip addresses in numerical sequence. thus *any* ip address active on the internet is accessible. when they get a hit on such an ip address, they start scanning for ports. when they have a 'live one', they then start exploiting that opening for any possible weakness.

to answer your second question: strong firewall or other equivalent countermeasure that actively deflects such intrusions.
--
".. the sofa has just vanished." ".. well, that's one mystery less."

garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
·callwithus
reply to idbit

Most any router with no ports forwarded should be able to deflect an outside attack, as was found here: »El Cheapo Router Challenge

A technical "win" was declared, but it wasn't simple and no real threat occurred, »First winner - El Cheapo Router Challenge

If outsiders are still getting in I'd say it's not from scans, it's from their having recorded your IP as a good one, found back when you were forwarding ports. In any case, though, if you've closed the doors the router ought to keep them out.


zm

join:2001-06-19
canada

1 recommendation

reply to Mango

said by Mango:

StillLearn's router must use Full-cone NAT, correct?

Is there an easy way to test what type of NAT a router uses?

I would try to run sipsak against the router from another box on the intarwebs, and see if I got an answer; here's an example against atlanta.voip.ms:

$ sipsak -v -v -s sip:atlanta.voip.ms
No SRV record: _sip._tcp.atlanta.voip.ms
No SRV record: _sip._udp.atlanta.voip.ms
using A record: atlanta.voip.ms
warning: need raw socket (root privileges) to receive all ICMP errors

message received:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 127.0.1.1:46822;branch=z9hG4bK.1995f7ee;alias;received=**.***.**.**;rport=46398
From: sip:sipsak@127.0.1.1:46822;tag=62628a27
To: sip:atlanta.voip.ms;tag=as0c4c7c7c
Call-ID: 1650625063@127.0.1.1
CSeq: 1 OPTIONS
User-Agent: VoIPMS/SERAST
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Contact:
Accept: application/sdp
Content-Length: 0

** reply received after 42.774 ms **
SIP/2.0 200 OK
final received


phoneuser

join:2012-12-19
New York, NY

1 edit

1 recommendation

reply to Mango

said by Mango:

Is there an easy way to test what type of NAT a router uses?

Here are a few that I know about.

* NAT tester at »nattest.net.in.tum.de
Requires Java, unfortunately. I've found that the final test (UDP Reverse Traceroute) can hang. If it does, then you can abandon it and still see the results of the other tests by clicking on the "permanent link for your results" link. It also tests for the presence of SIP and FTP ALGs. For my router, it reports the correct results for the things that I know about by other means.

* On Mac OS X, launch the Messages application. Skip the setup if you're not a chatter. From the menu bar, go to Video > Connection Doctor. Choose "Network Status". "Router Type" should show the NAT type. I've found that sometimes it fails to detect the type the first time; toggling to "Statistics" and back to "Router Type" seems to fix this. It reports the correct NAT type for my router.

* I no longer have one of these ATAs, but I've used this before with success. Sipura/Linksys ATAs have a "STUN Test Enable" option (with the other "NAT Support" options) which, when set "on" and with STUN configured, will report the detected NAT type in the debug log on a coldstart of the device.

idbit

join:2008-12-04
Florida
reply to idbit

said by Stewart:

I believe that Accounts --> advanced --> Local SIP Port is the setting to change on a Yealink.

That is right. I finally did change the Local SIP Port there. At first, I wanted to see if I would get any more of these calls. I finally did two nights ago. This one was more persistent than ever. I couldn't make it stop ringing - even if I hit Reject, or answered it, or hung up. When I did answer it, I would hang back up and the phone would just continue ringing. I forgot what combination eventually got it to stop ringing. I just started pressing buttons - Hold, Transfer, until finally, it stopped ringing. So that was all it took for me at that point. I changed the Local SIP Port.

said by horacebork:

there are people out there that scan for ip addresses in numerical sequence. thus *any* ip address active on the internet is accessible. when they get a hit on such an ip address, they start scanning for ports. when they have a 'live one', they then start exploiting that opening for any possible weakness.

By a 'live one', do you mean an open port? Or does open/closed really even matter?


horacebork
Premium
join:2011-03-17
09001
Reviews:
·Time Warner Cable
·voip.ms

sorry, i'm a bit slangy. yes, a 'live one' would be an open port.
if an ip address has an open port, the potential to exploit it exists.
if there is no open port (no software listening on the other end) there is no exploit available (that i know of).

think of it as an actual wall (brick, steel whatever). if there isn't an opening (port) of some kind, you have to cut you way through.
(making your own way through would be outside the scope of the discussion, i suppose).

--
".. the sofa has just vanished." ".. well, that's one mystery less."


MZB

join:2010-11-25
Dunrobin, ON
reply to grand total

said by grand total:

You can't. But, I suppose, if enough people stop using 5060 then the scanners will start looking for other ports.

After I moved my ATA from 5060/1 to 5064/5 it took 2 years before I noticed another hack attempt. Needless to say, I've moved it now to a completely random port number which is quiet (according to the SANS Internet Storm Centre »isc.sans.edu/port.html?port=5060 ).


JEDI

join:2005-04-11
Longueuil
kudos:1
Reviews:
·ELECTRONICBOX
reply to idbit

I also had that problem at first. I simply changed my port instead of the default one and added the list of IPs that are allowed to connect to my ATA. I have an Obi100, in the X_AccessList parameter I specified all the IP addresses of voip.ms (my provider). It fixed my issue.


tritch

join:2007-04-30
Porter, TX

2 edits

said by JEDI:

I also had that problem at first. I simply changed my port instead of the default one and added the list of IPs that are allowed to connect to my ATA. I have an Obi100, in the X_AccessList parameter I specified all the IP addresses of voip.ms (my provider). It fixed my issue.

Exactly. If you have a Linksys ATA just simply enable "Restrict Source IP" to eliminate these types of scans/attacks, other ATA's (Grandstreams, etc) most likely have a similar setting. The ATA simply drops all data packets that don't come from your registered SIP proxy (trusted IP's). There's no need to change SIP ports, play with router settings, etc.

I have had my Linksys SPA2102 directly connected to a bridged DSL modem for quite some time (no firewall/NAT whatsoever) and it's stopped 100% of these type of scans/hacking attempts. I find "Restrict Source IP" to be very secure.


lacibaci

join:2000-04-10
Export, PA
Reviews:
·voip.ms

said by tritch:

Exactly. If you have a Linksys ATA just simply enable "Restrict Source IP" to eliminate these types of scans/attacks, other ATA's (Grandstreams, etc) most likely have a similar setting. The ATA simply drops all data packets that don't come from your registered SIP proxy (trusted IP's). There's no need to change SIP ports, play with router settings, etc.

I have had my Linksys SPA2102 directly connected to a bridged DSL modem for quite some time (no firewall/NAT whatsoever) and it's stopped 100% of these type of scans/hacking attempts. I find "Restrict Source IP" to be very secure.

OPs ATA is OBi that currently does not have this functionality.


StillLearn
Premium
join:2002-03-21
Streamwood, IL
Reviews:
·AT&T Midwest

said by lacibaci:

said by tritch:

Exactly. If you have a Linksys ATA just simply enable "Restrict Source IP" to eliminate these types of scans/attacks, other ATA's (Grandstreams, etc) most likely have a similar setting. The ATA simply drops all data packets that don't come from your registered SIP proxy (trusted IP's). There's no need to change SIP ports, play with router settings, etc.

I have had my Linksys SPA2102 directly connected to a bridged DSL modem for quite some time (no firewall/NAT whatsoever) and it's stopped 100% of these type of scans/hacking attempts. I find "Restrict Source IP" to be very secure.

OPs ATA is OBi that currently does not have this functionality.

OBi does have that functionality. Search for X_AccessList on »www.obitalk.com/forum/ and you will find a lot of references.


lacibaci

join:2000-04-10
Export, PA
Reviews:
·voip.ms

said by StillLearn:

OBi does have that functionality. Search for X_AccessList on »www.obitalk.com/forum/ and you will find a lot of references.

I was talking about "Restrict Source IP" which restricts access to the registration server. X_AccessList is a very limited subset of this. You have to know all possible IPs, plus there is a length limit on this field (512 chars) which makes it unusable for providers that use hundreds of servers.


ctaranto

join:2011-12-14
MA
reply to tritch

said by tritch:

Exactly. If you have a Linksys ATA just simply enable "Restrict Source IP" to eliminate these types of scans/attacks, other ATA's (Grandstreams, etc) most likely have a similar setting. The ATA simply drops all data packets that don't come from your registered SIP proxy (trusted IP's). There's no need to change SIP ports, play with router settings, etc.

+1 for this.

I restricted by IP on my Tomato-based router after getting hit a few weeks ago on ports other than 5060. So far so good.


StillLearn
Premium
join:2002-03-21
Streamwood, IL
Reviews:
·AT&T Midwest
reply to lacibaci

said by lacibaci:

X_AccessList is a very limited subset of this. You have to know all possible IPs, plus there is a length limit on this field (512 chars) which makes it unusable for providers that use hundreds of servers.

X_AccessList on the OBi boxes works well for Anveo or voip.ms and probably others, which use anycast addresses; there is only one IP address for each region even though many servers are being used. That's how modern big DNS servers work. X_AccessList would not work for Callcentric, because there is unfortunately no way to specify a range at this time. I would hope OBi would change that by adding the potential for a netmask or other means. Considering the utility of that for so many people, it would be the highest priority if I were specing out new firmware. Some things are of use to a very limited number of people. Sip scanners need to be addressed by every user eventually, and it should be routine to the setup process.

If Linksys has a bit that can be set to solve the problem, then they are to be congratulated. It would seem to be even better if that bit was set by default, unless there is a downside to that.

Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:12
Reviews:
·Callcentric
·Anveo
·Shaw

This was posted by Oleg on the OBiTALK forums yesterday:

Voice Services >> SPx Service:
X_InboundCallRoute: {>('Insert your AuthUserName here'):ph}

This blocks calls not intended for your AuthUserName. I suspect this coupled with a high X_UserAgentPort number should block annoying SIP scanners, for devices that are not behind a restricted cone NAT router.


DaveN

join:2010-07-18
Santa Fe, NM

1 recommendation

reply to Mango

said by Mango:

StillLearn's router must use Full-cone NAT, correct?

Is there an easy way to test what type of NAT a router uses?

DogFace05 posted a handy NAT utility for this purpose along with a good explanation of NAT-related issues.

»Re: [Future9] PAP2 optimal settings?

Hope this helps...

zapattack

join:2012-07-02
CANADA

1 recommendation

reply to Mango

Works as advertised. Tested with false user name on PBXes account.
Ring group only connected to non-OBI line. Dialing Obi extension produced busy signal.
Definitely a simple and effective level of security.
Thanks, Mango, for the reference.


Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:12
reply to DaveN

Thank you! I was a newbie way back then.

I am behind port restricted cone NAT.



lacibaci

join:2000-04-10
Export, PA
Reviews:
·voip.ms
reply to Mango

said by Mango:

This was posted by Oleg on the OBiTALK forums yesterday:

Voice Services >> SPx Service:
X_InboundCallRoute: {>('Insert your AuthUserName here'):ph}

This blocks calls not intended for your AuthUserName. I suspect this coupled with a high X_UserAgentPort number should block annoying SIP scanners, for devices that are not behind a restricted cone NAT router.

So for Callcentric should this be:

X_InboundCallRoute: {>('1777xxxxxxx'):ph}

or (no quotes):

X_InboundCallRoute: {>(1777xxxxxxx):ph}

Lac

Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:12

My unproven theory is that it won't matter when the AuthUserName is numbers (in the case of Callcentric). If you test it, please let us know.



lacibaci

join:2000-04-10
Export, PA
Reviews:
·voip.ms

said by Mango:

My unproven theory is that it won't matter when the AuthUserName is numbers (in the case of Callcentric). If you test it, please let us know.

This one works:

X_InboundCallRoute: {>(1777xxxxxxx):ph}

although I have no way of testing a direct SIP call.


StillLearn
Premium
join:2002-03-21
Streamwood, IL
Reviews:
·AT&T Midwest

said by lacibaci:

said by Mango:

My unproven theory is that it won't matter when the AuthUserName is numbers (in the case of Callcentric). If you test it, please let us know.

This one works:

X_InboundCallRoute: {>(1777xxxxxxx):ph}

although I have no way of testing a direct SIP call.

When you show 1777xxxxxxx do you mean that, or do you mean something like 17775556789 as an example? As you know, x actually gets used in these strings to match. And if you really mean something like 17775556789 for example, how would you know what digits to use. Would that be your Callcentric account number?


lacibaci

join:2000-04-10
Export, PA

Yes, in my example 1777xxxxxxx is my Callcentric number.



lacibaci

join:2000-04-10
Export, PA
Reviews:
·voip.ms

1 recommendation

reply to idbit

Good news. I used sipp to test this and it seems to work.

Executing
lac@heron:~$ sipp -r 1 -rp 2000 <myip>

produces following INVITE:
INVITE sip: service@192.168.1.55:5060......

and response:
SIP DLG reject: 486...

The phone does not ring.

Changing the parameters to:
lac@heron:~$ sipp -s <1777xxxxxx> -r 1 -rp 2000 <myip>

goes through with no problems.

Once again I used call route:
X_InboundCallRoute: {>(1777xxxxxxx):ph}


idbit

join:2008-12-04
Florida
reply to ctaranto

said by ctaranto:

I restricted by IP on my Tomato-based router after getting hit a few weeks ago on ports other than 5060. So far so good.

I have to do this. Can your recommend a Tomato-based router that would handle this? I don't think my Yealink phone has this option. Right now, it's unplugged until I get this figured out.

This port scan follows me no matter what port I switch to. I thought I was smart picking a high random number like 32545. Doesn't matter. Either they have some kind of repeating option that allows them to scan every port. Or somehow it knew which port I switched to. Either way, I'm not taking any more chances. Any suggestions on a Tomato-based router? Thanks!

Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:12
Reviews:
·Callcentric
·Anveo
·Shaw
reply to ctaranto

said by ctaranto:

I restricted by IP on my Tomato-based router after getting hit a few weeks ago on ports other than 5060. So far so good.

I'm curious about this. Is it that you had an ATA behind a Tomato router with no port forwarding and no DMZ, and you still got a spam call?

I tested my Tomato router today (»Re: [Future9] PAP2 optimal settings?) and it has port restricted cone NAT. Are some distros different?


ctaranto

join:2011-12-14
MA

1 recommendation

said by Mango:

said by ctaranto:

I restricted by IP on my Tomato-based router after getting hit a few weeks ago on ports other than 5060. So far so good.

I'm curious about this. Is it that you had an ATA behind a Tomato router with no port forwarding and no DMZ, and you still got a spam call?

I tested my Tomato router today (»Re: [Future9] PAP2 optimal settings?) and it has port restricted cone NAT. Are some distros different?

Before I made the change, I had the ports open to the world, which is why the firewall wasn't blocking it (it was being told NOT to). I then restricted the ports to the specific voip.ms IP addresses. That's all.

I'm using Toastman's distribution on an Asus RT-N16. My phone (Panasonic KX-TGP551) is sitting off of that.

Idbit, I recommend the RT-N16 - it's been super reliable for me. It's fully "supported" by the Tomato community.