Weird Voip calls.

VOIP setup and troubleshooting
Post Reply
User avatar
thomashouseman
Posts: 750
Joined: Thu Mar 18, 2004 12:06 pm
Location: Toongabbie
Contact:

Weird Voip calls.

Post by thomashouseman » Sun Mar 17, 2013 7:45 pm

I've been getting weird voip calls recently at random intervals.

I just got one at 7:41pm is from "sipvicious" ext 100.
another on the 16th/3 1:23pm from ext. 1001
another 16/3 8:50am ext 101.

etc.

I've had exetel voip for a good few years now and have never had this many randoms before.

Can Exetel please advise/investigate?

Thanks,

T.

anurangaf
Exetel Staff
Posts: 152
Joined: Tue Jul 06, 2010 11:35 am
Location: Australia

Re: Weird Voip calls.

Post by anurangaf » Sun Mar 17, 2013 8:03 pm

thomashouseman wrote:I've been getting weird voip calls recently at random intervals.

I just got one at 7:41pm is from "sipvicious" ext 100.
another on the 16th/3 1:23pm from ext. 1001
another 16/3 8:50am ext 101.

etc.

I've had exetel voip for a good few years now and have never had this many randoms before.

Can Exetel please advise/investigate?

Thanks,

T.
Hi,

We will investigate on our end and will get back to you.

User avatar
Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Weird Voip calls.

Post by Dazzled » Sun Mar 17, 2013 8:56 pm

Ahhhh - script kiddies again. You might like to look at viewtopic.php?f=58&t=39757&p=302457. It's a VoIP scanner.

You can get the code for a good look at http://code.google.com/p/sipvicious/

They can find your service in a jiffy by scanning for port 5060 - trivial with things like nmap. A sipvicious scan comes next. Check the modem logs to see if you can locate the sods, and perhaps block them.

User avatar
thomashouseman
Posts: 750
Joined: Thu Mar 18, 2004 12:06 pm
Location: Toongabbie
Contact:

Re: Weird Voip calls.

Post by thomashouseman » Mon Mar 18, 2013 8:19 am

Ahh, No modem logs avail. It's in bridge mode as I couldn't get VOIP working properly without having my Netcomm V220 ATA doing the pppoe authentication.
Still shouldn't the ATA only be accepting VOIP connections from Exetel's VOIP server? Don't tell me Exetel are allowing script kiddies free reign over their VOIP servers?

User avatar
Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Weird Voip calls.

Post by Dazzled » Mon Mar 18, 2013 8:54 am

They aren't entering Exetel servers; they are going direct to your IP address and through to the listening ATA function of the V220 you are using as a router. They are primarily interested in compromising PBX setups, like poorly configured Asterix boxes. The documentation here - https://github.com/pwnieexpress/Pwnplug ... sipvicious summarises what this package can do.

User avatar
thomashouseman
Posts: 750
Joined: Thu Mar 18, 2004 12:06 pm
Location: Toongabbie
Contact:

Re: Weird Voip calls.

Post by thomashouseman » Mon Mar 18, 2013 9:14 am

So it's a netcomm product fault accepting any request rather than only requests from the registered voip server or is that not how voip works?

User avatar
Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Weird Voip calls.

Post by Dazzled » Mon Mar 18, 2013 9:43 am

There's nothing wrong with your hardware. You can read about SIP at http://en.wikipedia.org/wiki/Session_In ... n_Protocol but put simply, your phone calls, so far as audio is concerned, are computer to computer directly. Modem firewalls prevent the initiation of direct contact (the iptables connection has to be in states RELATED,ESTABLISHED) so an intermediate Exetel server you have first connected to is used to set up an exchange of handshakes to and from both parties that allows the calls.

There is nothing to stop a direct approach to your ATA router by someone who would likely prefer to find an Asterix computer there.

User avatar
thomashouseman
Posts: 750
Joined: Thu Mar 18, 2004 12:06 pm
Location: Toongabbie
Contact:

Re: Weird Voip calls.

Post by thomashouseman » Mon Mar 18, 2013 10:33 am

So there is no easy way I can stop being woken up at night? I don't want to have to turn the ATA off everynight... Hopefully Exetel can do something about it.

User avatar
Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Weird Voip calls.

Post by Dazzled » Mon Mar 18, 2013 10:58 am

Like I said, anyone can create a packet and send it your way, including one that spoofs the phone into ringing. The previous references gave the how-tos. You need a firewall that can block these pests. Either put your modem's router function back and use the V220 as one of its DHCP clients (http://media.netcomm.com.au/public/asse ... Exetel.pdf), or see if you can firewall the v220 (telnet interface, ie see what happens if your command is iptables -L, but you'll need to know an IP range to block first.

User avatar
thomashouseman
Posts: 750
Joined: Thu Mar 18, 2004 12:06 pm
Location: Toongabbie
Contact:

Re: Weird Voip calls.

Post by thomashouseman » Mon Jul 06, 2015 7:47 pm

Is there a way to block all port 5060 stuff except from Exetel's voip server? How would I write a router firewall rule for that?
Actually instead of port forwarding to my voip ata, if I setup port triggering instead will that limit the script kiddies but still allow voip to function okay?

Thanks,

T.

User avatar
Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Weird Voip calls.

Post by Dazzled » Mon Jul 06, 2015 9:51 pm

What do you know about iptables and rule chaining? To see the router or ATA firewall, on the telnet interface use the command iptables -L -v to get the firewall. Note the port forward rule which will allow anywhere as source. It needs the -s iptables argument to make the only forwarded source UDP 58.96.1.2. Whatever you do on a commercial device will be wiped on reboot unless part of the saved config, so check first if you can restrict source on the port forward browser menu.

The permanent ways are to install your own router firmware or run one of the gateway Linux setups behind a bridged modem.

User avatar
Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Weird Voip calls.

Post by Dazzled » Tue Jul 07, 2015 9:54 am

I had a look at my current modem-router this morning. Here is why these commercial firmwares won't hold some config changes permanently. The firmware in the compressed file system is mounted read only, and loads into memory at start, together with the config that only contains the maker's settings. The temporary file system is wiped out of memory at power off.

Code: Select all

> echo ; exec /bin/sh
#df
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/mtdblock0            2944      2944         0 100% /
tmpfs                      320       244        76  76% /var
#
# mount
/dev/mtdblock0 on / type squashfs (ro)
/proc on /proc type proc (rw,nodiratime)
tmpfs on /var type tmpfs (rw)
To see what config data is stored permanently, the usual command is dumpcfg.

User avatar
dsc68
Posts: 110
Joined: Tue Jan 03, 2006 5:01 pm
Location: Lower Beechmont, Qld

Re: Weird Voip calls.

Post by dsc68 » Thu Jul 09, 2015 11:13 am

thomashouseman wrote:So it's a netcomm product fault accepting any request rather than only requests from the registered voip server or is that not how voip works?

VoIP is essentially a peer to peer system that is usually configured to behave like a client server system. When your ATA registers with the Exetel server it is basically saying 'if you get a call for this number, please forward it to me'. Your ATA will basically accept all incoming calls from anywhere.

The dial plan in your ATA forwards all PSTN calls to the Exetel server by default but there is nothing stopping it contacting other VoIP nodes directly. In fact on some ATAs you can dial a SIP address to make a direct ATA-ATA call without going through (or being charged by) a a third party VoIP provider.

As Dazzled mention, you need a firewall rule to restrict access of port 5060 to and from the Exetel server only. Unfortunately the V220 doesn't have a firewall feature built in.

User avatar
thomashouseman
Posts: 750
Joined: Thu Mar 18, 2004 12:06 pm
Location: Toongabbie
Contact:

Re: Weird Voip calls.

Post by thomashouseman » Mon Jul 13, 2015 12:27 pm

Well after much playing around, it seems port triggering was the answer. This blocks all random inbounds and the voip keepalive I'm assuming keeps it open for legit calls from Exetel's VOIP server.

T.

User avatar
Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Weird Voip calls.

Post by Dazzled » Mon Jul 13, 2015 1:29 pm

That's the case. You are relying on the triggered connection staying alive for longer than the ATA's next contact with Exetel. The time is router dependent, so you have got what's needed.

Post Reply