Got Call pumped? App: Conjestion - need help

Hey guys,

this is my first post in this forum and I really hope you can help me.

At the 11th of july I set up my first FreePBX installation. For testing and installing I opened my Ports (5060) and still had the default “allow SIP guests” activated.

Today, three days later I figured out that already after one hour of being online a lot of various IP connected to the PBX and started to call via my trunk.

I have thousands of this calls in my log, there random numbers in different states were called. Denmark, Schweden, U.S.A. A screenshot is attached.

“ANSWERED” does mean, that a call was established, doesn´t it?
Can somebody please explain me what “App: Congestion” stands for?

My provider: Deutsche Telekom is not able to tell me how many calls were made the last days and if these numbers are premium-services?

I found similar threads like this, but nobody texted about the consequences. I expect a huge bill.

Has anybody of you expieriences with issues like that?

I know that it was a big mistake to open the ports with the “guest” option enabled. But to be honest, I never expected to become a victim this fast.

Thank you in advance.
Mats

I uploaded a sample out of my log:

Can’t help you ‘post-mortem’ if you pay for incoming calls then lots of 13 second ones that all apparently went to ‘congestion’. As to the future,don’t accept anonymous or guest calls especially on UDP/5060, you can reduce the problem to a tiny dribble by not using UDP on any port between 5000 and 5999 , TCP and TLS transports get much less attention, if using TLS , use a certificate NOT issued to your WebService one, add a port scanner to your firewall rules,

Congestion is FreePBX rejecting the call. You don’t seem to have any outbound legs, so they haven’t hit on anything valid. You should not normally have a system that allows chargeable calls from the from-sip-external context.

A quick ‘reality check’ to see how common UDP/5060 probes are .

Install a very basic linux cloud machine on anything , login to it and given tcpdump is installed, run :-

tcpdump -vvA port 5060

You probably won’t have to wait long :wink:

It’s been answered by FreePBX, probably to play an invalid number message, not by the premium rate number.

It was answered by whatever is on the end of your ip address, i.e. your poorly provisioned Asterisk server, hopefully now fixed. Asterisk is a ‘Back to Back User agent’ so unless it is bridged to your ‘premium rate’ connection by a defined ‘route’, there should be no charge.

You probably have nothing to worry about. The CDR records you’re seeing are not indicative of any actual exploit beyond the resources it takes to answer the guest call, play a recording and send the call to congestion. You do want to secure things tho, starting with limiting access to the signaling ports as tightly as practical. If you’re running the FreePBX Distro, you can use the Firewall module Open Source Pro Tips #2 - Firewall Basics

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.