Unwanted hardware reboots of Sipura SPA3102 (spa-3102)

VOIP setup and troubleshooting
Post Reply
gragre
Posts: 13
Joined: Sat Aug 05, 2006 1:40 pm

Unwanted hardware reboots of Sipura SPA3102 (spa-3102)

Post by gragre » Fri Oct 12, 2012 12:42 pm

Linksys sipura spa3102 ATA.

For a couple of years it's been suffering regular unasked-for full hardware reboots, several times in a row at random intervals (for instance every day at roughly the same time, for several days in a row, maybe every month or so).

Started logging with slogsrv.exe via instructions https://supportforums.cisco.com/docs/DOC-9862

Log reads " reboot reason:H737202d1 "

This other Cisco support page https://supportforums.cisco.com/docs/DOC-13555 suggests the cause may be a DoS denial of service attack and offers a solution via the SIP Setting "Restrict Source IP" to "Yes" on the relevant Line 1 or PSTN Line page.
I've done this and we'll now see.

For the record the IP that appears in my log file as precipitating this problem is 177.85.101.54 (may they rot in hell if this is a deliberate attack rather than just a screw-up).

Any further light would be welcome!

User avatar
Dazzled
Volunteer Site Admin
Posts: 6002
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Unwanted hardware reboots of Sipura SPA3102 (spa-3102)

Post by Dazzled » Fri Oct 12, 2012 1:13 pm

0x737202d1 out of memory. Perhaps drop the mischievous South American at the modem/router firewall? I presume he's bothering you on port 1050.

gragre
Posts: 13
Joined: Sat Aug 05, 2006 1:40 pm

Re: Unwanted hardware reboots of Sipura SPA3102 (spa-3102)

Post by gragre » Fri Oct 12, 2012 3:26 pm

Cisco sounds so confident I think for the moment I'll try just their simple remedy.

The SPA syslog though looks like
...

[0]<<177.85.101.54:5128(437)
[0]<<177.85.101.54:5128(437)
ACK sip:no pssword@220.233.XX.XXX SIP/2.0
Via: SIP/2.0/UDP 177.85.101.54:5128;branch=z9hG4bK-3700762745;rport
Content-Length: 0
From: "no pssword"<sip:no pssword@220.233.XX.XXX>; tag=6e6f20707373776f72640133303339383732333538
Accept: application/sdp
User-Agent: friendly-scanner
To: "no pssword"<sip:no pssword@220.233.XX.XXX>
Contact: sip:no pssword@220.233.XX.XXX
CSeq: 1 REGISTER ACK
Call-ID: 1162690083
Max-Forwards: 70


[0]<<177.85.101.54:5128(390)
[0]<<177.85.101.54:5128(390)
REGISTER sip:4450@220.233.XX.XXX SIP/2.0
Via: SIP/2.0/UDP 177.85.101.54:5128;branch=z9hG4bK-1790727844;rport
Content-Length: 0
From: "4450"<sip:4450@220.233.XX.XXX>; tag=343435300131363835363933313739
Accept: application/sdp
User-Agent: friendly-scanner
To: "4450"<sip:4450@220.233.XX.XXX>
Contact: sip:4450@220.233.XX.XXX
CSeq: 1 REGISTER
Call-ID: 2205592374
Max-Forwards: 70


System started: ip@192.168.1.6, reboot reason:H737202d1
System started: ip@192.168.1.6, reboot reason:H737202d1
subnet mask: 255.255.255.0
gateway ip: 192.168.1.254
dns servers(1): 192.168.1.254
IDBG: st-0
YM:ERR:AuthServerNotConfig
YM:ERR:AuthServerNotConfig
YM:ERR:AuthServerNotConfig
YM:ERR:AuthServerNotConfig
[0]Reg Addr Change(0) 0:0->3a600102:5060
[0]Reg Addr Change(0) 0:0->3a600102:5060
[0]->58.96.1.2:5060(533)
[0]->58.96.1.2:5060(533)
REGISTER sip:sip1.exetel.com.au SIP/2.0
Via: SIP/2.0/UDP 192.168.1.6:5060;branch=z9hG4bK-8f7610a7
From: 02800XXXXX <sip:02800XXXXX@sip1.exetel.com.au>;tag=ec5dd5082d962201o0
To: 02800XXXXX <sip:02800XXXXX@sip1.exetel.com.au>
Call-ID: 1bf07f0d-f86d7709@192.168.1.6
CSeq: 32574 REGISTER
Max-Forwards: 70
Contact: 02800XXXXX <sip:02800XXXXX@192.168.1.6:5060>;expires=36000
User-Agent: Linksys/SPA3102-5.1.10(GW)
Content-Length: 0
Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER
Supported: x-sipura, replaces

........

I don't know how to interpret it but the full log contains gazillions of repetitions of the first two blocks, with different variants of supposed SIP clients at my own ip address 220.233.XX.XXX as both the apparent "From" and "To" of the SIP request, before the SPA reboots itself with that " reason:H737202d1 " code which Cisco says is memory overflow prob due to a DoS attack.

User avatar
Dazzled
Volunteer Site Admin
Posts: 6002
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Unwanted hardware reboots of Sipura SPA3102 (spa-3102)

Post by Dazzled » Fri Oct 12, 2012 3:43 pm

At a quick glance that has the look of SIPVicious, a tool that is popular with script kiddies to attack poorly secured VoIP systems. You really need to block it before it gets near the ATA.

Anyway, have a look at http://www.onsip.com/blog/2011/11/15/do ... pt-kiddies and similar sites.

Asterix boxes are a popular target for these pests. They can easily find a listening device with tools like nmap and hping. This bloke fixed it for an Asterix box - https://jcs.org/notaweblog/2010/04/11/p ... _sip_flood, but he had a computer in front. The simple thing is to ban the IP in your router.

gragre
Posts: 13
Joined: Sat Aug 05, 2006 1:40 pm

Re: Unwanted hardware reboots of Sipura SPA3102 (spa-3102)

Post by gragre » Fri Oct 12, 2012 6:11 pm

That looks like it doesn't it -tnx.
I've turned up this little router's logging to "debug" mode and have the SPA's syslog running. If the same IP turns up again with the same flooding attack I'll blacklist it certainly but I'm also now a bit interested to see whether the simple Cisco fix at the ATA level will work. Interesting that the attack against my system consists of a burst lasting only a minute or two once per day where other reports complain of sustained drains of serious amounts of bandwidth.
Let's hope the pest tries again tomoprrow so I can report back; tnx.

gragre
Posts: 13
Joined: Sat Aug 05, 2006 1:40 pm

Re: Unwanted hardware reboots of Sipura SPA3102 (spa-3102)

Post by gragre » Tue Oct 16, 2012 6:39 pm

Update:
Four days later there've been no further problems beyond the usual background level of port probings and attempted intrusions (about one every 5 to 10 minutes on average throughout the day). No sign of trouble in the ATA log. No hits at all from 177.85.101.54 (or nearby).

User avatar
Dazzled
Volunteer Site Admin
Posts: 6002
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Unwanted hardware reboots of Sipura SPA3102 (spa-3102)

Post by Dazzled » Tue Oct 16, 2012 9:51 pm

Good. Thanks for the update, it's good to have feedback, in case the pest picks on another user.

Post Reply