dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1852
hmspe
Premium Member
join:2007-07-01
Temple, TX

hmspe

Premium Member

[Voip.ms] Phantom calls

I've been getting incoming calls with two or three digit CID showing on the phones all evening. Calls ring on all four instances (channels) for the DID that appear on the phones. The calls are not showing in the CDR and there is nothing there if I try to answer. The last seven sets of calls have been reported on the phones as CID 101, 201, 301, 401, 501, 601, and 701. It's almost midnight and these calls are waking the whole house. I have filed a support request with voip.ms but I don't expect to hear back until tomorrow. Caller ID filtering does not stop these calls. Any ideas on how to trace them and how to stop them would be appreciated.

XANAVirus
Premium Member
join:2012-03-03
Lavalette, WV

2 edits

XANAVirus

Premium Member

Sounds like a SIP Scanner.

Have you done any port forwarding for Voip.MS? Specifically, have you forwarded UDP port 5060 in your router?
It's usually not necessary to do so, for any VoIP provider.

You might consider disabling the UDP port 5060 forwarding on your router, or perhaps changing your ATA's SIP port to something random and forwarding that.

Furthermore, it's not possible to trace these types of calls, since they not are literally calls but rather port scanning applications.
Your ATA is faithfully decoding the incoming packets as actual calls and then sending them to the phones.
nirvy
join:2003-11-16
Minneapolis, MN

nirvy to hmspe

Member

to hmspe
Hey hmspe.

Did it look anything like this? »i.imgur.com/AFWbHrx.png

I noticed a similar thing on my FreePBX server when I was using the default port 5060 and it was fine after I changed the port.

I was actually going to add another video to my FreePBX series on YouTube to show people how and why they should change the default port on their servers.

Since it's not very straightforward for a lot of people, I'm thinking I should maybe do it but then again, with GoogleVoice going away soon, I'm not sure I'm going to use it anymore because I haven't found a good solution.

Alittlegreen
join:2008-07-24
Montreal, QC

1 recommendation

Alittlegreen to hmspe

Member

to hmspe
There's this person on DSLR that was kind enough to put something together for ATA configuration. I think you'll find what you're looking for here: »www.toao.net/500-mangos- ··· i202-ata
Under the heading "OBi ATA Security".

This is also on the voip.ms wiki:
»wiki.voip.ms/article/OBi_100/110
Under the heading "To avoid phone calls in the middle of the night due to SIP scanners (through no fault of VOIP.ms)."

I set up our ATA, followed these instructions, and not a single scanner call to date.
hmspe
Premium Member
join:2007-07-01
Temple, TX

hmspe

Premium Member

Thanks to all who have responded.

To answer the questions:
- No UDP ports are forwarded in the router.
- Port 5060 is not used on any of the DIDs. The DID getting the scans was on port 5082. The DIDs on 5080 and 5086 were not getting scanned.
- I don't really get logs, but the png from nirvy would be very close.
- My ATA is a Mediatrix so the Obi instructions don't directly apply. I'll have to see if I can find an equivalent setting.

N9MD
Too busy to chat
Premium Member
join:2005-10-08
Boca Raton, FL

1 recommendation

N9MD to hmspe

Premium Member

to hmspe
I'll add my two pfennigs to what those here (and in other threads) have suggested ... including my hero Mango on his site (referenced above).

Everyone with administrative access to their ATAs' settings (and PBX-like systems, too) should avoid using 5060 as the SIP Port. Changing this number will have no negative effect on functionality ... but it will be quite effective in blocking these annoying middle of the night calls. I've been using 5070, 5071, 5072, etc. (with no duplications) for each line on my several 2-line PAP2Ts and an 8-line SPA8000 ... with apparent success.

If the 'bad guys' are in the Eastern Hemisphere, they are in daytime sunlight during our Western Hemisphere overnight hours, making it easy for them to cause us Somnus Interruptus.
Mango
Use DMZ and you get a kick in the dick.
Premium Member
join:2008-12-25
www.toao.net

Mango to hmspe

Premium Member

to hmspe
said by hmspe:

- No UDP ports are forwarded in the router.

In that case, you probably have a full cone NAT router. When you register to a service provider, your router effectively sets up a port forward, allowing the SIP scanners to reach your device.

If they've found you on 5082, you may wish to change your port to a high number between 20000 and 65535. Note that this will not prevent scanners from reaching you, it will just make it less likely. The best (most secure) solution is to configure your router to use restricted cone NAT, or replace your router if that is not possible. Second best is to configure your ATA to reject calls not destined for you.
Mango

2 recommendations

Mango to Alittlegreen

Premium Member

to Alittlegreen
said by »toao.net/500 :

By default, OBi devices accept calls destined for any username. The above syntax rejects calls that are not intended for whatever you have configured as AuthUserName.

said by »wiki.voip.ms/article/OBi_100/110 :

By default, OBi devices accept calls destined for any username. The above syntax rejects calls that are not intended for whatever you have configured as AuthUserName.

 
Really, guys? Again?
nirvy
join:2003-11-16
Minneapolis, MN

nirvy to Mango

Member

to Mango
said by Mango:

The best (most secure) solution is to configure your router to use restricted cone NAT, or replace your router if that is not possible. Second best is to configure your ATA to reject calls not destined for you.

I'm not sure how OBi works because I don't own one, but if you can set a whitelist, that's actually one of the best methods of preventing not only scans but actual hack attempts.

When I log into Webmin and go into Networking -> Firewall on my FreePBX server machine, this is what it looks like: »i.imgur.com/DfpPOSM.png

For the time being, I went from port 5060 to 2060, and now to 8089 and I have to allow it both in the Linux firewall and in my router because my FreePBX server doesn't operate as UPnP and that's a good thing. Both ports 2060 and 8089 have not received any such scan attempts or suspicious activity in the call log, so I don't have a need for a blacklist or a whitelist.

If I were to set up a whitelist, I'd block all IP addresses in the Linux firewall rules and only allow my T-Mobile and Comcast internet IP addresses to connect. The OP doesn't necessarily have to get a new router, though.

brg
Premium Member
join:2001-01-03
Chicago, IL

1 recommendation

brg to Mango

Premium Member

to Mango
said by Mango:

said by »toao.net/500 :

By default, OBi devices accept calls destined for any username. The above syntax rejects calls that are not intended for whatever you have configured as AuthUserName.

said by »wiki.voip.ms/article/OBi_100/110 :

By default, OBi devices accept calls destined for any username. The above syntax rejects calls that are not intended for whatever you have configured as AuthUserName.

 
Really, guys? Again?

/sarcasm mode on:

Perhaps it's intended as a form of flattery.

/sarcasm mode off
OzarkEdge
join:2014-02-23
USA

2 edits

OzarkEdge to Alittlegreen

Member

to Alittlegreen
said by Alittlegreen:

There's this person on DSLR that was kind enough to put something together for ATA configuration. I think you'll find what you're looking for here: »www.toao.net/500-mangos- ··· i202-ata
Under the heading "OBi ATA Security".

This is also on the voip.ms wiki:
»wiki.voip.ms/article/OBi_100/110
Under the heading "To avoid phone calls in the middle of the night due to SIP scanners (through no fault of VOIP.ms)."

I set up our ATA, followed these instructions, and not a single scanner call to date.

I believe this OBi firmware Build 4330 setting can be used instead to prohibit anonymous SIP and works with VoIP.ms:

Voice Services
SPn Service - SIP Credentials::X_EnforceRequestUserID = checked

Edit: Supersedes InboundCallRoute methods (see below) but may not work with all ITSPs.

OE
adit7
join:2013-04-02
Oakville, ON

1 edit

adit7

Member

said by OzarkEdge:

I believe this OBi firmware Build 4330 setting can be used instead to prohibit anonymous SIP and works with VoIP.ms:

Voice Services
SPn Service - SIP Credentials::X_EnforceRequestUserID = checked

OE

You are right. This works for OBI202 with the latest firmware. However you can still use "Oleg's method" which works on older firmware and OBI models which do not have that settings. I did not bother to change, I have set Oleg's method (look on OBI forum for it) long time ago and never had a problem since then.
As a note, "Oleg's method" works with all providers, the flag above require provider support, so it will not work with all providers (if I remember well, Voice.ms supports it).There is another thread in Obi forum related to this flag.

Oleg's method:
»www.obitalk.com/forum/in ··· c=5467.0
OzarkEdge
join:2014-02-23
USA

OzarkEdge

Member

said by adit7:

You are right. This works for OBI202 with the latest firmware. However you can still use "Oleg's method" which works on older firmware and OBI models which do not have that settings. I did not bother to change, I have set Oleg's method (look on OBI forum for it) long time ago and never had a problem since then.
As a note, "Oleg's method" works with all providers, the flag above require provider support, so it will not work with all providers (if I remember well, Voice.ms supports it).There is another thread in Obi forum related to this flag.

Oleg's method:
»www.obitalk.com/forum/in ··· c=5467.0

Thanks!

Also from my notes... I've only used the first option with VoIP.ms until OBi instituted the X_EnforceRequestUserID setting:

Voice Services
SPn Service - SPn Service::X_InboundCallRoute = ph1 (route inbound to phoneport1)
o {>[Your Account User ID]:ph1} prohibit anonymous SIP but does not work for Builds 4303 and 4318
o {>[Called Number]:ph1} prohibit anonymous SIP but only works after Build 4269

OE

flinchlock
Premium Member
join:2003-04-25
Augusta, MI
ARRIS SB6121
Obihai OBi200

flinchlock to hmspe

Premium Member

to hmspe

FYI...

I used OBiTALK to configure SP1 & SP2 (for CC) and AuthUserName was automagically set for me.

Mike

nunya
LXI 483
MVM
join:2000-12-23
O Fallon, MO

nunya to Mango

MVM

to Mango

Re: [Voip.ms] Phantom calls

Somebody from Voip.ms owes you a Coke. Or at least some credit.
What ever happened to footnotes and citations? Did they disappear with the typewriter?
Mango
Use DMZ and you get a kick in the dick.
Premium Member
join:2008-12-25
www.toao.net

Mango

Premium Member

There's a citation on »wiki.voip.ms/w/index.php ··· y_issues, but only because I added it. It got approved and published months later.
PX Eliezer1
Premium Member
join:2013-03-10
Zubrowka USA

PX Eliezer1

Premium Member

said by Mango:

There's a citation on »wiki.voip.ms/w/index.php ··· y_issues, but only because I added it. It got approved and published months later.

The ultimate in self-service!
bw5745
join:2014-03-14

bw5745 to hmspe

Member

to hmspe
Hi! It looks like this turned into an Obi discussion. I skimmed the manual for the Mediatrix 4102. Is this your model of ATA?

The right way to block these calls is to use restricted cone NAT as suggested by Mango. When a SIP scanner tries to connect to your public IP address, the restricted cone NAT would block the connection since it not coming from voip.ms.

If you can't fix your router, the high port numbers suggested by Mango helps since the SIP scanners would concentrate on the popular ports.

I did find one setting in the Mediatrix 4102 manual that might help. The SIP Trusted Sources feature lets you choose six different IP addresses that the ATA will listen to. When enabled, calls from other IP addresses will be ignored. You would have to look up the numerical IP addresses of your voip.ms servers and enter them into the Mediatrix. This is not an ideal solution. What if voip.ms adds a new regional server that you want to try? You'll be scratching your head until you remember to change this setting.
hmspe
Premium Member
join:2007-07-01
Temple, TX

hmspe

Premium Member

Thanks again to all for the help and suggestions.

The router is a Netgear R6300. The only NAT settings I can find are 'NAT Filtering', which is set to secured, and 'Disable SIP ALG', which is unchecked.

The Mediatrix is a 4108.

Changing the ports has stopped the problem for the moment. I'll look at the SIP Trusted Sources option when I get a few minutes. If I can do two LA servers, two Denver, and two Dallas I'm probably covered for any server changes I would make. Unlikely that they will add servers in Phoenix.
Mango
Use DMZ and you get a kick in the dick.
Premium Member
join:2008-12-25
www.toao.net

Mango

Premium Member

Does SIP Trusted Sources allow you to use hostnames instead of IP addresses? This would be more reliable, in case the IP address for your server(s) change.

It's curious that you're having the problem, even with NAT Filtering set to Secured. That seems backwards to me.

brg
Premium Member
join:2001-01-03
Chicago, IL

brg to hmspe

Premium Member

to hmspe
said by hmspe:

...and 'Disable SIP ALG', which is unchecked.

Unrelated, but conventional wisdom in this forum is generally to disable SIP ALG. However, if things have been otherwise working fine thus far, maybe don't fix what ain't broke in that regard...
hmspe
Premium Member
join:2007-07-01
Temple, TX

hmspe

Premium Member

The Mediatrix I have has the DGW software. 'SIP Trusted Sources' is only part of Mediatrix's SIP software. I think there are equivalent methods in the DGW software but the terminology in the manual is a bit foreign to me so it may take a while to figure out.

I agree that it is strange to have this problem with NAT Filtering set to secure. It is also strange that the DID on port 5082 was being hit but the DID on port 5080 was not.
OzarkEdge
join:2014-02-23
USA

OzarkEdge

Member

Just brainstorming here with little experience...

Did VoIP.ms Support offer any advice on the matter?

If my router was letting unsolicited 'SIP scans' through to my ata, I should think about getting a different router, yes?

Could the inbound be spurious SIP from the registered VoIP.ms server? Could this be tested by temporarily registering with a different server?

OE
Mango
Use DMZ and you get a kick in the dick.
Premium Member
join:2008-12-25
www.toao.net

Mango

Premium Member

said by OzarkEdge:

I should think about getting a different router, yes?

If your router cannot be configured otherwise, and is not compatible with third-party firmware, for best security you should replace the router. For adequate security you can configure your ATA to reject calls not intended for you.
said by OzarkEdge:

Could the inbound be spurious SIP from the registered VoIP.ms server?

Nope.

m.
bw5745
join:2014-03-14

bw5745 to OzarkEdge

Member

to OzarkEdge
said by OzarkEdge:

Could the inbound be spurious SIP from the registered VoIP.ms server?

If it were from voip.ms, there are two possibilities:
--It has to be a real crank call to your DID. The caller would have paid to call your number.
--You publicly revealed your voip.ms incoming SIP URI.

In either case, the call should show up in the voip.ms call logs.
brawney
Premium Member
join:2002-03-02
Frederick, MD

brawney to OzarkEdge

Premium Member

to OzarkEdge
said by OzarkEdge:

If my router was letting unsolicited 'SIP scans' through to my ata, I should think about getting a different router, yes?

+1
brawney

1 recommendation

brawney to Mango

Premium Member

to Mango
said by Mango:

If your router cannot be configured otherwise, and is not compatible with third-party firmware, for best security you should replace the router. For adequate security you can configure your ATA to reject calls not intended for you.

I would do both. My router doesn't have that issue, but I still configure the ATA to reject calls not intended for it. If my router did have that issue it would be replaced immediately.