Inbound routes issues

Hello @ThetaCoder,

After examining your logs, I can point out that the hacker tries to send calls directly through your trunks. The best way to reduce those tries is to set up a general inbound route that would terminate the call. You need to setup two general inbound routes with the following patterns: _X. and a blank one.

Please do not forget to setup your specific inbound routes as a range or as a specific DID. I for example, like to put them on hold, because it is letting me time to investigate the pattern of the attack and then block them for good on my system.

Here is a screenshot of my setup:


Thank you,

Daniel Friedman
Trixton LTD.

Hi Daniel:

This is not a hacker, these are inbound PSTN calls. OP wants to filter by CID.

I can’t think of a use single use for an inbound route with DID of _X. that would not be caught by the Any/Any route. What specific case does that route actually address?

Hi @lgaetz,

Yes, it is a hacker who tries to send calls through this pbx. The problem is that they do it directly through the carriers and not through an ip address. The filter that I suggested works for me many years for this type of attacks. The basic concept of this pattern is to block a DID that is not configured specifically on the inbound routes of the pbx. Look at the patterns again that is entering to the pbx. most of them are not legit DIDs, and should be terminated on the spot. This concept is good for alpha numeric attacks as well (_X. or s). This helps reducing significantly these types of attacks on PBXs.

Of course that this is just one step in fighting these hackers/spammers, because most of the attacks that I see are plain DDOS and every attack has its own pattern, but eventually, they all sum up to 10 -15 known attacking patterns.

The most annoying attack is the DDOS one with caller id spoofing, that is forcing you to start whitelist your customers, but if you are tightening your pbx from starters, most of the attacks just passing through your pbx and are getting terminated, since they are general attacks on PBXs from the internet.

Thank you,

Daniel Friedman
Trixton LTD.

I can’t believe they let that one go by so quickly.

First, there is always a Firewall - it’s built into the system. It’s called the Integrated Firewall and it is there.

Second, inbound and outbound calling are almost unrelated. The might appear to be and experienced PBX users are used to them being “the same”, but in Asterisk, they just don’t share a lot of anything.

The pedantic part of my brain won’t let this go. They all originate from the same “CID”. DID is how we describe the inbound direct dial number.

When a call is directed to your system, it is sent to one of your DIDs via a trunk. You mention that you need to use anonymous connections because of your provider, but that’s counter-intuitive. If you have a provider, you should have the servers for your provider identified in your trunk config. Anything that doesn’t come from your provider’s IP is anonymous and should be blocked. There are many long discussions on here about why anonymous is bad and how much money it can cost you.

This leads me to believe that you are setting up the trunk for a username/password pair when, in fact, you are using IP authentication. If that’s the case, then (once again) you need to allow the IP addresses of your ISP’s originating SIP connection(s) and block the rest.

Now, if you are trying to block PSTN calls, there’s a whole different set of possible choices there. Your request seems to be “magically know what calls are good and what calls are bad and block the bad ones.” That isn’t going to happen with this or any other telephone technology.

@lgaetz 's “Robocaller” scrtpy with it’s “one and done” authentication white list is excellent, especially if you throw a message on the front that says “because of nuisance and spam calls, please press ‘1’ to be added to our whitelist and your call will be directed to an agent.” Most customers will recognize that you are being responsible and will be more than happy to help you out.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.