Phantom Voip Calls

VOIP setup and troubleshooting
Post Reply
monarols
Posts: 42
Joined: Thu Nov 22, 2007 8:28 pm
Location: Perth

Phantom Voip Calls

Post by monarols » Sun Dec 14, 2014 9:32 pm

Hi there. I am an exetel customer, but I am posting this on behalf of my friend (also an exetel customer) His modem recently got spiked, and damaged the Voip part of his modem, so he decided to get another Voip modem (Netgear DVG 1000)

I have set this up for him, and ADSL is working fine and he can use the voip phone to make outgoing, but he cant receive any incoming, unless I dial his Voip Number from another phone.

I have noticed that this modem has no FXO? port so from the ADSL splitter we have a cable runnning to the ADSL port on the modem and a line from the phone to the line in on the modem. (The Phone port on the splitter is not used)

Modem setup and hookup http://www.dodo.com/top-right-navigatio ... tup-guide/

It would appear then that this modem is connected directly to the net?

When connected up, as illustrated in the user guide, the problem he is having is that the phone randomly rings at all hours of the day and night so we have had to unplug it. We have hooked up a standard telstra PSTN phone directly to the phone port on the splitter (bypassing the VoIP function) until we can find out why this is happening. We didnt have this issue with his old one, but that did have an FXO? port

This is the settings I have put in to his VoIP:

SIP Proxy 58.96.1.2
SIP Control Port 5060
Outbound Proxy Address 58.96.1.2
Outbound Proxy Port 5060
SIP Registrar 58.96.1.2
SIP Registrar Port 5060

He registers OK (Up) and is showing as "Idle" on the VoIP status page

I have been reading up a bit on this and some folks say to change the Port number to something like 9020, but not sure which one to change and if exetel even advise this.

I can supply the users VoIP number and account name if requested

Thanks, Chris Morgan

Thanks for any help

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Phantom Voip Calls

Post by Dazzled » Sun Dec 14, 2014 10:15 pm

I haven't been able to find a user manual or data for this device, but it appears to be a VoIP only device, so you won't be able to dial in, except on the VoIP number. The phantom rings are caused by a VoIP packet coming in on port 5060, but if you can ring in, it would appear to be registered to the correct number. Have you looked at the device logs? VoIP events are logged in most routers.

Did it occur before? Some forms of port scan will ring the phone.

monarols
Posts: 42
Joined: Thu Nov 22, 2007 8:28 pm
Location: Perth

Re: Phantom Voip Calls

Post by monarols » Sun Dec 14, 2014 10:46 pm

Hi Dazzeled and thanks for your speedy reply.

No this has only started happening since we changed modem/router. We had a thunderstorm here in Perth a while back and his voIP just died, no dialtone nothing. His service was still payed up and active, so I spent quite some time trying to figure it out and came to the conclusion that the phone line must have been spiked and it damaged the Billions VoIP circutry (No VoIP light ot line light showed up on the front).

Anyway, I checked the logs, but there dosn't appear to be any for the VoIP section, only the General log, some of which is shown below which I'd suspect wouldnt affect the ringing part:
[admin login] from source 192.168.0.2, Sunday, December 14,2014 16:09:12
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 16:09:04
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 16:04:19
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 15:59:34
[DoS attack: WinNuke Attack ] from source: 91.192.110.217:0, Sunday, December 14,2014 15:59:00
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 15:54:50
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 15:50:04
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 15:45:19
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 15:40:34
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 15:35:44
[DoS attack: ACK Scan ] from source: 185.21.134.10:80, Sunday, December 14,2014 15:30:27
[DoS attack: ACK Scan ] from source: 122.150.74.100:55508, Sunday, December 14,2014 15:22:44
[DoS attack: ACK Scan ] from source: 122.150.74.100:55508, Sunday, December 14,2014 15:22:15
[DoS attack: ACK Scan ] from source: 122.150.74.100:55508, Sunday, December 14,2014 15:21:45
[DoS attack: ACK Scan ] from source: 122.150.74.100:55508, Sunday, December 14,2014 15:21:16
[DoS attack: ACK Scan ] from source: 122.150.74.100:55508, Sunday, December 14,2014 15:20:47
[DoS attack: ACK Scan ] from source: 122.150.74.100:55508, Sunday, December 14,2014 15:20:16
[DoS attack: ACK Scan ] from source: 122.150.74.100:55508, Sunday, December 14,2014 15:19:47
[DoS attack: ACK Scan ] from source: 122.150.74.100:55508, Sunday, December 14,2014 15:18:42
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 15:16:44
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 15:11:59
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 15:07:14
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 14:57:44
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 14:52:59
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 14:48:19
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 14:43:34
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 14:38:49
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 14:34:04
[DoS attack: ACK Scan ] from source: 185.21.134.10:80, Sunday, December 14,2014 14:31:49
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 14:24:29
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 14:19:44
[DoS attack: ACK Scan ] from source: 54.231.244.0:443, Sunday, December 14,2014 14:16:37
[DoS attack: ACK Scan ] from source: 173.241.248.220:80, Sunday, December 14,2014 14:16:05
[DoS attack: ACK Scan ] from source: 173.241.248.220:80, Sunday, December 14,2014 14:15:35
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 14:14:59
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 14:10:14
[DoS attack: ACK Scan ] from source: 185.21.134.10:80, Sunday, December 14,2014 14:09:05
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 14:05:28
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 14:00:43
[DoS attack: ACK Scan ] from source: 185.21.134.10:80, Sunday, December 14,2014 13:59:43
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 13:55:58
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 13:51:13
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 13:46:29
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 13:41:44
[DoS attack: ACK Scan ] from source: 74.206.224.234:80, Sunday, December 14,2014 13:37:00
[Time synchronized with NTP server time-g.netgear.com] Sunday, December 14,2014 13:36:50

Maybe its just some program randomly scanning the 5060 port. Can this port number be changed? I have read that once changed, the phantom calls drop off a lot/altogether (Sadly there is a volume ctrl on the phone, but it dosnt' turn down the ring volume), otherwise, I'd just use that, LoL

Yes literature is sparse for these. The link I gave above was all I could find. I was hoping that you could maybe setup the modem to reject SIP requests from anything EXCEPT the registration server, but dont know how to configure the firewall/service or whether it can be done at all?

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Phantom Voip Calls

Post by Dazzled » Mon Dec 15, 2014 11:59 am

Your log level is only showing rejected connections - it isn't low enough to pick up VoIP activity. I have no manual, so can't advise on the setting. A VoIP packet sent to port 5060 won't be rejected by the router, and won't be logged at this level.

What you have picked up is the usual random stuff and what is probably normal use. One group may be a torrent, and another is a video provider, both of which the machine may have been connected to.

There's a stats collector.
$ host 185.21.134.10
10.134.21.185.in-addr.arpa domain name pointer stats.crocus.arvixe.com.

Port 0 is reserved.
$ host 91.192.110.217
217.110.192.91.in-addr.arpa domain name pointer 217-110.furanet.com.

Port 443 is https, the IP is a cloud server.
$ host 54.231.244.0
0.244.231.54.in-addr.arpa domain name pointer s3-2.amazonaws.com.


The usual iptables (firewall) rule for port 5060 in routers with built-in VoIP is:
ACCEPT udp -- ppp_8_35_1 any anywhere anywhere udp dpt:5060

Post Reply