SIP Hacking

The other day I tried to call and got an “All channels busy” message.
When I checked the FreePBX dashboard, I saw that between 50 an 80
channels were busy. I called my SIP provider, and they told me that they
could only see one channel busy (the one we were talking on), yet me
dashboard continued to show me many busy channels.
I started the
Asterisk CLI and found a lot of activity there. It seems that there is
at least one rogue party out there that is probing Asterisk setups for
vulnerabilities. I have “allowguest” set to “No”, and from what I
got from the SIP provider, there is no real calling going on, but it is
annoying to find out that someone is trying to break the system. Here is
what I typically see:

-- Executing 

[971046406820677@from-sip-external:1] NoOp(“SIP/myIP-00001aa9”,
“Received incoming SIP connection from unknown peer to 971046406820677”)
in new stack
– Executing [971046406820677@from-sip-external:2] Set(“SIP/myIP-00001aa9”, “DID=971046406820677”) in new stack
– Executing [971046406820677@from-sip-external:3] Goto(“SIP/myIP-00001aa9”, “s,1”) in new stack
– Goto (from-sip-external,s,1)
– Executing [s@from-sip-external:1] GotoIf(“SIP/myIP-00001aa9”, “0?checklang:noanonymous”) in new stack
– Goto (from-sip-external,s,5)
– Executing [s@from-sip-external:5] Set(“SIP/myIP-00001aa9”, “TIMEOUT(absolute)=15”) in new stack
Channel will hangup at 2015-06-29 16:10:59.841 MDT.
– Executing [s@from-sip-external:6] Answer(“SIP/myIP-00001aa9”, “”) in new stack
== Spawn extension (from-sip-external, s, 6) exited non-zero on ‘SIP/myIP-00001aa9’
– Executing [h@from-sip-external:1] Hangup(“SIP/myIP-00001aa9”, “”) in new stack
== Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/myIP-00001aa9’

(replaced my IP address with “myIP”).

Is there any danger here? Is there a way to stop this completely? As it is
right now, I am getting one of these every couple of minutes or so.

What does your CDR show for that same time frame?

Thanks for taking a look. I looked at the CDR and it basically says the same thing as the CLI. Here is the CDR entry from one of those tries today. They seem to come every few minutes:

[Jul 1 11:03:38] VERBOSE[26623] pbx.c: – Executing [7011972595896653@from-sip-external:1] NoOp(“SIP/MyIP-00001b67”, “Received incoming SIP connection from unknown peer to 7011972595896653”) in new stack
[Jul 1 11:03:39] VERBOSE[26623] pbx.c: – Executing [7011972595896653@from-sip-external:2] Set(“SIP/MyIP-00001b67”, “DID=7011972595896653”) in new stack
[Jul 1 11:03:39] VERBOSE[26623] pbx.c: – Executing [7011972595896653@from-sip-external:3] Goto(“SIP/MyIP-00001b67”, “s,1”) in new stack
[Jul 1 11:03:39] VERBOSE[26623] pbx.c: – Goto (from-sip-external,s,1)
[Jul 1 11:03:39] VERBOSE[26623] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/MyIP-00001b67”, “0?checklang:noanonymous”) in new stack
[Jul 1 11:03:39] VERBOSE[26623] pbx.c: – Goto (from-sip-external,s,5)
[Jul 1 11:03:39] VERBOSE[26623] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/MyIP-00001b67”, “TIMEOUT(absolute)=15”) in new stack
[Jul 1 11:03:40] VERBOSE[26623] func_timeout.c: Channel will hangup at 2015-07-01 11:03:55.299 MDT.
[Jul 1 11:03:40] VERBOSE[26623] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/MyIP-00001b67”, “”) in new stack
[Jul 1 11:03:41] VERBOSE[26623] pbx.c: – Executing [s@from-sip-external:7] Wait(“SIP/MyIP-00001b67”, “2”) in new stack
[Jul 1 11:03:43] VERBOSE[26623] pbx.c: – Executing [s@from-sip-external:8] Playback(“SIP/MyIP-00001b67”, “ss-noservice”) in new stack
[Jul 1 11:03:44] VERBOSE[26623] file.c: – <SIP/MyIP-00001b67> Playing ‘ss-noservice.ulaw’ (language ‘en’)
[Jul 1 11:03:49] VERBOSE[26623] pbx.c: – Executing [s@from-sip-external:9] PlayTones(“SIP/MyIP-00001b67”, “congestion”) in new stack
[Jul 1 11:03:49] VERBOSE[26623] pbx.c: – Executing [s@from-sip-external:10] Congestion(“SIP/MyIP-00001b67”, “5”) in new stack
[Jul 1 11:03:54] VERBOSE[26623] pbx.c: == Spawn extension (from-sip-external, s, 10) exited non-zero on ‘SIP/MyIP-00001b67’
[Jul 1 11:03:54] VERBOSE[26623] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/MyIP-00001b67”, “”) in new stack
[Jul 1 11:03:54] VERBOSE[26623] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/MyIP-00001b67’
[Jul 1 11:04:00] WARNING[2750] chan_sip.c: Maximum retries exceeded on transmission a6058a0a595723385dc6c47d27376b19 for seqno 1 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions

Again, I replaced my IP with “MyIP”.

Mike

Oh, and just to give you an impression:

The “full.1” CDR from Jun 28 (I suppose that is 7 days worth of CDR), is 433 MB. I can’t even open it…

And the next attempt came in at 11:14, with a different “DID”, but the same results.

Ok, I took a couple of hours and played with my firewall. After closing a couple of which I thought were required for Asterisk the attacks stopped. So, it was definitely a firewall related issue.