Anonymous calls

duong_dajgja · August 29, 2014, 3:45pm

I recently found out some ‘anonymous calls’ appearing on my Asterisk box. It has appeared since yesterday.
When I checked my Asterisk logs by command ‘asterisk -vvvvvvvr’, I saw lot of strange logs like this:

  == Using SIP RTP TOS bits 184
  == Using SIP RTP CoS mark 5
    -- Executing [900972595117934@from-sip-external:1] NoOp("SIP/203.250.x.x-0000003c", "Received incoming SIP connection from unknown peer to 900972595117934") in new stack
    -- Executing [900972595117934@from-sip-external:2] Set("SIP/203.250.x.x-0000003c", "DID=900972595117934") in new stack
    -- Executing [900972595117934@from-sip-external:3] Goto("SIP/203.250.x.x-0000003c", "s,1") in new stack
    -- Goto (from-sip-external,s,1)
    -- Executing [s@from-sip-external:1] GotoIf("SIP/203.250.x.x-0000003c", "0?checklang:noanonymous") in new stack
    -- Goto (from-sip-external,s,5)
    -- Executing [s@from-sip-external:5] Set("SIP/203.250.x.x-0000003c", "TIMEOUT(absolute)=15") in new stack
    -- Channel will hangup at 2014-08-30 00:07:33.818 UTC.
    -- Executing [s@from-sip-external:6] Log("SIP/203.250.x.x-0000003c", "WARNING,"Rejecting unknown SIP connection from 23.95.12.226"") in new stack
[2014-08-30 00:07:18] WARNING[15290][C-0000025e]: Ext. s:6 @ from-sip-external: "Rejecting unknown SIP connection from 23.95.12.226"
    -- Executing [s@from-sip-external:7] Answer("SIP/203.250.x.x-0000003c", "") in new stack
    -- Executing [s@from-sip-external:8] Wait("SIP/203.250.x.x-0000003c", "2") in new stack
    -- Executing [s@from-sip-external:9] Playback("SIP/203.250.x.x-0000003c", "ss-noservice") in new stack
    -- <SIP/203.250.x.x-0000003c> Playing 'ss-noservice.ulaw' (language 'en')
    -- Executing [s@from-sip-external:10] PlayTones("SIP/203.250.x.x-0000003c", "congestion") in new stack
    -- Executing [s@from-sip-external:11] Congestion("SIP/203.250.x.x-0000003c", "5") in new stack
  == Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/203.250.x.x-0000003c'
    -- Executing [h@from-sip-external:1] Hangup("SIP/203.250.x.x-0000003c", "") in new stack
  == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/203.250.x.x-0000003c'
[2014-08-30 00:07:50] WARNING[1870]: chan_sip.c:4169 retrans_pkt: Retransmission timeout reached on transmission 22ca7e32a4ba2b1b241ea89f66497b6a for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions

I’m sure at that time, there was no incoming calls to my Asterisk.
After that, I checked CDRs records, I saw many strange caller number (except 01023943787 in below image):

Could anyone give me some explains?

jfinstrom · August 29, 2014, 3:54pm

It is possible you are being scanned. You may consider a solution like fail2ban

duong_dajgja · August 29, 2014, 4:09pm

Maybe you’re right. I checked the IP 23.95.12.226 (source of the SIP connections), it’s in USA (so far from Korea).

dicko · August 29, 2014, 5:27pm

Well, although the server might be in the US, I’m pretty sure that the owner is from Palestine from the numbers they are trying to complete to, it was all too easy to geo-fence such attacks (including the ongoing onslaught from one of your close neighbours) but they all moved their servers to Europe and the States ( and South Korea) to hide their activities. Personally I have my firewall block colocation companies like OVH and colocrossing as I notice the attacks, as I am pretty sure no legitimate voip traffic will ever come from any of them. and yes indeed 23.94.0.0/15 is on my list. as is coincidentally 203.250.0.0/16 so I must have tracked malicious traffic form KREONet in the past also.

duong_dajgja · August 31, 2014, 3:38am

Update:
After going through many search results, I changed ‘Allow SIP Guests’ and ‘Allow Anonymous Inbound SIP Calls’ under Settings -> Asterisk SIP Settings to disabled. Now I’m not seeing any more ‘anonymous’ calls in CDRs records. Anyway, I will consider some more things such fail2ban, or others.

deanot26508 · September 3, 2014, 12:53am

I closed the following ports on my system, 5060 and 5061. I do not use extensions outside of my local network, so the above ports was not required for me. I have not been scanned or attempted hacks since doing this. My FREEPBX works great and I am very happy with the system, just wish I could dispose of all the spammers, but that would be no fun would it.

dicko · September 3, 2014, 1:15am

I suggest a better way, don’t open them in the first place just use alternatives, chosen randomly out of 63K odd reasonable choices, then you can still have extensions outside your network that many people would actually like to have and if you have a reasonably facile firewall (or two) you probably just wont get effed either, the kiddie scripts mostly just look at 5060-5080 (tcp/udp) if you don’t answer the door they just move on, a decent firewall would notice a scan even before they got to 5080.