Wondering if anyone else has seen this before. I have quite a few 0 second and 1 second duration calls from Source ID’s that I don’t recognize. Each call has a disposition of ANSWERED or WAITING but only last 0:00 secs or 0:01 secs.
The Source ID’s seem to be random but I have a fair number of them that are labeled 1000 or 2000.
That is just standard “drive-by” scouting by the knuckle-draggers, if they get a connection (which they did), they will pass your ip on to the “black-cloud” which will prepare more penetrative attacks against your box. Consider implementing a firewall that only allows udp 5060 connections from known sources, better yet, don’t use 5060 for sip registration.
Thanks Dicko - unfortunately my only option would be to not use 5060 for SIP registration as we have lots of roaming users that are connecting from random IP’s.
Is it safe to say that the majority of the trolling happens from foreign subnets (in your experience)? I could block those in the firewall pretty easily.
In my experience the majority of attacks will be from “Chinese Universities” closely followed by Palestine and Eastern Europe and the middle east. I make no comment on the geopolitical understructure of why these entities support rogue networks.
It is simple to have your roaming users use another port just let them know that the need to register against your_ip:nnnn where nnnn is anything unused on your box between 1025 and about 64000 and the ports your sip server will bind to. Have your vsp do the same if they sare prepared to do so. If not then you normally will only need to open a few networks for your incalcitrant VSP.
It is exactly the same concept as I hope you use for ssh or any other inet service you open on your box from the tubes.
You can also look at geoip blocking easily done with csf, but the iptables will be huge unless you live in Belgium or some such. There are 250 odd class A networks. that is easier to handle allow all currently used class A networks, discovered closely by:-
rasterisk -x ‘sip show peers’
deny all on your firewall, allow the first two unique octets .0.0/8 and you are close.
ho hum, we still can’t edit our posts, all errors and omissions are comitted to eternity . . .
make that “the first one unique octet .0.0.0/8”