Dammed asterisk calls

Edit Subject

Hi Pat,

Are you sure these "calls" are not MWI notifications?

If you have an outstanding message in your voicemail, and the phones are set to notify you ringing when they get the notification, they might ring every hour or so.

I say this because usually "asterisk" is the name of the caller that pops up when an MWI notification is issued.

If this is not the case, just don't forward any UDP port to the phone and use your outbound proxy in the registration parameters. You don't need to expose any port when you use it.
If port 5060 UDP is closed on your router the SIP spammer can't see your phone.

A trace of the SIP traffic might help to pinpoint the problem though. I know SNOM phones can log the SIP traffic, and some others do too.

Cheers

Hi
Thanks for the response. I will check the Message Waiting settings. Unfortunatly though the phones are all public facing (No Nat and No Firewall) so the UDP goes out the window :)

Hi Pat,

In your case, you can always move the phones' SIP port somewhere else, say 5070.

It doesn't matter to the registrar what SIP port your phone is, as far as it's declared correctly in the SIP REGISTER dialog what UDP port is in use, and all sensible phones do.

At least you don't get spammed by a blanket attack on port 5060.

HTH

Hi Guys
I have tried removing the MWi but still the same. As advised by Gradwell all phones I manage are on public IPs so they all operate correctly we do not use NAT for ours.

According to gradwell the inbound asterisk calls are not comming through there system. Someone out there has an asterisk box and is scanning for IPs with traffic on the sip protocol.

Perhaps if we all got together and collated a log on the routers we use.

Set a rule up to alert and log any traffic comming inbound using UDP / SIP that way we can collect the IP or IP range this is comming from. Once we have enough logs we could perhaps send them all to Gradwell with our IP lists highlting the ones we know were asterisk calls (the phone log will match the firewall log) Gradwell could then report these IPs as malicous to RIPE and then maybe something can be done about it.

What do you all think? If the above is not feasable then maybe others have some ideas on what we can all try.

Hi Pat,

I know the feeling, you'd like to kick these skript kiddiez where the sun doesn't shine. I'm with you on this one, and I think something must be done from all of us.

Gradwell could start banning permanently all incoming traffic from all destinations that are banned in the dialplan (like - if I'm not mistaken - Nigeria), and then we could add to it feeding back what happens our side.

To me, it makes perfect sense to stop SIP traffic to and from a region that had a ban on PSTN calls.

Please have a look at my blog, and if you like this we could start off working on this together.

It looks like this issue is back - had several Asterisk calls today.

We had a massive increase in asterisk calls last week and unusually, rather than just striking individual extensions in turn, they were hitting numerous extensions simultaneously.
Then over the weekend our account has been hacked and there have been over 100 outbound calls made to dodgy looking international numbers - is there a link here - are the asterisk calls 'fishing' for account info?

Same problem ... changed SIP ports away from 5060 ... problem solved!

If you do not use NAT on your VoIP then this problem is solved with local filtering

I have set custom rules up in our firewall to allow only from all gradwell ip ranges for VoIP communication (So far no more midnight or early morning calls)

When using DMZ on the Thompson people could either connect PORT 4 to a firewall before the switch for the phones or they could utilise two routers (the other perhaps a Zyxel P660H which can either be used in place of yours or in between and has better firewall control )

If they use 2 separate dsl’s one for internet and one for VoIP they may just as well use the Zyxel P660H on its own. I have used these for some of my VoIP connections for a few years now and never have any issues with it (Just a thought) It is sound solid and secure

BTW if you can get away from NAT and use public IPs do so you will find a better quality service as the less there is in between the phone and the Sip Server, then less can go wrong.

Hi Pat
apologies if I'm slow on the uptake but I am a frustrated user/manager of our system, not a tech expert..
I think our system mirrors the setup you describe -we have 8 Yealink phones on public IP addresses on a dedicated VoIP router (Thompson). We are plagued by asterisk calls which invariably lead to our phones being hacked and authorised calls being made out of hours resulting in our daily credit limit being hit.
By changing the Thompson router for the Zyxel P660H and using it's built in firewall, are you saying that we can totally block the asterisk calls? If so, would this also prevent hackers getting access to the phone controls? How easy is the Zyxel to setup because I don’t want to find that Gradwell support are well, unsupportive.
It seems that Yealink phones have a particular vulnerability, I don't know if Snom or others are better but I really have to take action to prevent these continued attacks - I am even considering switching of the router or switch out of office hours.

Hallo David

Despite common support for public IPs for VoIP phones (to avoid NAT), for security purposes we would NEVER put anything VoIP on a public, unfiltered and not firewalled IP.
It's not difficult to configure the phones to use different SIP and RTP ports, and set up the proper port forwards on any router.
You can then open up pinholes in the firewall to the phones' management interfaces with PAT and source IP filtering (so every phone web GUI is accessible from one, and only one IP - yours, on "obscure" ports).
Some routers allow you to keep the rule, disabled, on the firewall, and enable it manually when you need it.
We can help you setting this up, our GAP (Gradwell Approved Professional) techs are at your service.
Give us a call (01738 211211), we can help.