Large Volume of Unknown Calls Going to Congestion

adamskalicky · December 16, 2014, 7:25am

Hello All,

I am having an issue when I try to pull calls. For whatever reason there are hundreds of calls in my CDR Reports that are all trying to get an outside line but get congestion. I believe these are people trying to route calls illegitimately through my PBX. If there anyway I can stop these from being logged or eliminate them all together?

Below is a segment of my CDR Reports that includes these calls, my IP was removed for security:

calldate clid src dst dcontext channel dstchannel lastapp lastdata duration billsec disposition amaflags accountcode uniqueid userfield
12/15/2014 23:01 toto toto s from-sip-external SIP/188.138.17.229-00000289 Congestion 5 13 13 ANSWERED 3 1418713309
12/15/2014 21:28 “102” <102> 102 s from-sip-external SIP/my.ip.add.ress-00000276 Congestion 5 14 14 ANSWERED 3 1418707732
12/15/2014 18:50 “200” <200> 200 s from-sip-external SIP/my.ip.add.ress-00000275 Answer 1 1 ANSWERED 3 1418698256
12/15/2014 18:50 “200” <200> 200 s from-sip-external SIP/my.ip.add.ress-00000274 Answer 1 1 ANSWERED 3 1418698255
12/15/2014 18:04 “100” <100> 100 s from-sip-external SIP/my.ip.add.ress-00000273 Congestion 5 13 13 ANSWERED 3 1418695455
12/15/2014 17:48 “pl155” pl155 s from-sip-external SIP/my.ip.add.ress-0000026b Congestion 5 13 13 ANSWERED 3 1418694488
12/15/2014 17:48 “sachin2014” sachin2014 s from-sip-external SIP/my.ip.add.ress-00000272 Congestion 5 13 13 ANSWERED 3 1418694488
12/15/2014 17:48 “vedas” vedas s from-sip-external SIP/my.ip.add.ress-00000271 Congestion 5 13 13 ANSWERED 3 1418694488
12/15/2014 17:48 “162” <162> 162 s from-sip-external SIP/my.ip.add.ress-00000270 Congestion 5 13 13 ANSWERED 3 1418694488
12/15/2014 17:48 “161” <161> 161 s from-sip-external SIP/my.ip.add.ress-0000026f Congestion 5 13 13 ANSWERED 3 1418694488
12/15/2014 17:48 “testcarrier” testcarrier s from-sip-external SIP/my.ip.add.ress-0000026e Congestion 5 13 13 ANSWERED 3 1418694488
12/15/2014 17:48 “160” <160> 160 s from-sip-external SIP/my.ip.add.ress-0000026d Congestion 5 13 13 ANSWERED 3 1418694488
12/15/2014 17:48 “pl160” pl160 s from-sip-external SIP/my.ip.add.ress-0000026c Congestion 5 13 13 ANSWERED 3 1418694488
12/15/2014 17:48 “159” <159> 159 s from-sip-external SIP/my.ip.add.ress-0000026a Congestion 5 12 12 ANSWERED 3 1418694488
12/15/2014 17:48 “pl150” pl150 s from-sip-external SIP/my.ip.add.ress-00000269 Congestion 5 12 12 ANSWERED 3 1418694488
12/15/2014 17:48 “158” <158> 158 s from-sip-external SIP/my.ip.add.ress-00000268 Congestion 5 12 12 ANSWERED 3 1418694488
12/15/2014 17:48 “pl142” pl142 s from-sip-external SIP/my.ip.add.ress-00000267 Congestion 5 12 12 ANSWERED 3 1418694488
12/15/2014 17:48 “157” <157> 157 s from-sip-external SIP/my.ip.add.ress-00000266 Congestion 5 12 12 ANSWERED 3 1418694488
12/15/2014 17:48 “156” <156> 156 s from-sip-external SIP/my.ip.add.ress-00000265 Congestion 5 12 12 ANSWERED 3 1418694488
12/15/2014 17:48 “pl141” pl141 s from-sip-external SIP/my.ip.add.ress-00000264 Congestion 5 12 12 ANSWERED 3 1418694488
12/15/2014 17:48 “155” <155> 155 s from-sip-external SIP/my.ip.add.ress-00000263 Congestion 5 12 12 ANSWERED 3 1418694488
12/15/2014 17:48 “154” <154> 154 s from-sip-external SIP/my.ip.add.ress-00000262 Congestion 5 12 12 ANSWERED 3 1418694488
12/15/2014 17:48 “pl140” pl140 s from-sip-external SIP/my.ip.add.ress-00000261 Congestion 5 12 12 ANSWERED 3 1418694488
12/15/2014 17:48 “pl138” pl138 s from-sip-external SIP/my.ip.add.ress-00000260 Congestion 5 12 12 ANSWERED 3 1418694488
12/15/2014 17:48 “pl135” pl135 s from-sip-external SIP/my.ip.add.ress-0000025f Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl133” pl133 s from-sip-external SIP/my.ip.add.ress-0000025b Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “153” <153> 153 s from-sip-external SIP/my.ip.add.ress-0000025e Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “152” <152> 152 s from-sip-external SIP/my.ip.add.ress-0000025d Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl134” pl134 s from-sip-external SIP/my.ip.add.ress-0000025c Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “151” <151> 151 s from-sip-external SIP/my.ip.add.ress-0000025a Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “150” <150> 150 s from-sip-external SIP/my.ip.add.ress-00000259 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl128” pl128 s from-sip-external SIP/my.ip.add.ress-00000252 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl132” pl132 s from-sip-external SIP/my.ip.add.ress-00000258 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “149” <149> 149 s from-sip-external SIP/my.ip.add.ress-00000257 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl131” pl131 s from-sip-external SIP/my.ip.add.ress-00000256 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “148” <148> 148 s from-sip-external SIP/my.ip.add.ress-00000255 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl130” pl130 s from-sip-external SIP/my.ip.add.ress-00000254 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl115” pl115 s from-sip-external SIP/my.ip.add.ress-00000239 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “147” <147> 147 s from-sip-external SIP/my.ip.add.ress-00000253 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “146” <146> 146 s from-sip-external SIP/my.ip.add.ress-00000251 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl127” pl127 s from-sip-external SIP/my.ip.add.ress-00000250 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “145” <145> 145 s from-sip-external SIP/my.ip.add.ress-0000024f Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl126” pl126 s from-sip-external SIP/my.ip.add.ress-0000024e Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “144” <144> 144 s from-sip-external SIP/my.ip.add.ress-0000024d Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl125” pl125 s from-sip-external SIP/my.ip.add.ress-0000024c Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl124” pl124 s from-sip-external SIP/my.ip.add.ress-0000024b Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “143” <143> 143 s from-sip-external SIP/my.ip.add.ress-0000024a Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl123” pl123 s from-sip-external SIP/my.ip.add.ress-00000249 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl121” pl121 s from-sip-external SIP/my.ip.add.ress-00000245 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “142” <142> 142 s from-sip-external SIP/my.ip.add.ress-00000248 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “139” <139> 139 s from-sip-external SIP/my.ip.add.ress-00000242 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl122” pl122 s from-sip-external SIP/my.ip.add.ress-00000247 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “141” <141> 141 s from-sip-external SIP/my.ip.add.ress-00000246 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “140” <140> 140 s from-sip-external SIP/my.ip.add.ress-00000244 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl120” pl120 s from-sip-external SIP/my.ip.add.ress-00000243 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “138” <138> 138 s from-sip-external SIP/my.ip.add.ress-00000241 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “pl119” pl119 s from-sip-external SIP/my.ip.add.ress-00000240 Congestion 5 13 13 ANSWERED 3 1418694487
12/15/2014 17:48 “137” <137> 137 s from-sip-external SIP/my.ip.add.ress-0000023f Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “pl118” pl118 s from-sip-external SIP/my.ip.add.ress-0000023e Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “pl117” pl117 s from-sip-external SIP/my.ip.add.ress-0000023d Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “136” <136> 136 s from-sip-external SIP/my.ip.add.ress-0000023c Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “pl116” pl116 s from-sip-external SIP/my.ip.add.ress-0000023b Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “135” <135> 135 s from-sip-external SIP/my.ip.add.ress-0000023a Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “134” <134> 134 s from-sip-external SIP/my.ip.add.ress-00000238 Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “pl114” pl114 s from-sip-external SIP/my.ip.add.ress-00000237 Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “133” <133> 133 s from-sip-external SIP/my.ip.add.ress-00000236 Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “pl113” pl113 s from-sip-external SIP/my.ip.add.ress-00000235 Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “132” <132> 132 s from-sip-external SIP/my.ip.add.ress-00000234 Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “pl112” pl112 s from-sip-external SIP/my.ip.add.ress-00000233 Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “pl105” pl105 s from-sip-external SIP/my.ip.add.ress-00000232 Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “131” <131> 131 s from-sip-external SIP/my.ip.add.ress-00000231 Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “130” <130> 130 s from-sip-external SIP/my.ip.add.ress-0000022f Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “tr-user-18” tr-user-18 s from-sip-external SIP/my.ip.add.ress-00000230 Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “129” <129> 129 s from-sip-external SIP/my.ip.add.ress-0000022e Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “tr-user-17” tr-user-17 s from-sip-external SIP/my.ip.add.ress-0000022d Congestion 5 12 12 ANSWERED 3 1418694487
12/15/2014 17:48 “122” <122> 122 s from-sip-external SIP/my.ip.add.ress-00000220 Congestion 5 13 12 ANSWERED 3 1418694486
12/15/2014 17:48 “126” <126> 126 s from-sip-external SIP/my.ip.add.ress-00000229 Congestion 5 13 12 ANSWERED 3 1418694486
12/15/2014 17:48 “tr-user-16” tr-user-16 s from-sip-external SIP/my.ip.add.ress-0000022c Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “128” <128> 128 s from-sip-external SIP/my.ip.add.ress-0000022b Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “127” <127> 127 s from-sip-external SIP/my.ip.add.ress-0000022a Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “125” <125> 125 s from-sip-external SIP/my.ip.add.ress-00000227 Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “tr-user-15” tr-user-15 s from-sip-external SIP/my.ip.add.ress-00000228 Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “tr-user-14” tr-user-14 s from-sip-external SIP/my.ip.add.ress-00000226 Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “tr-user-13” tr-user-13 s from-sip-external SIP/my.ip.add.ress-00000225 Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “124” <124> 124 s from-sip-external SIP/my.ip.add.ress-00000224 Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “tr-user-61” tr-user-61 s from-sip-external SIP/my.ip.add.ress-00000223 Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “tr-user-21” tr-user-21 s from-sip-external SIP/my.ip.add.ress-00000221 Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “123” <123> 123 s from-sip-external SIP/my.ip.add.ress-00000222 Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “tr-user-8” tr-user-8 s from-sip-external SIP/my.ip.add.ress-00000207 Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “121” <121> 121 s from-sip-external SIP/my.ip.add.ress-0000021f Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “tr-user-20” tr-user-20 s from-sip-external SIP/my.ip.add.ress-0000021e Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “tr-user-19” tr-user-19 s from-sip-external SIP/my.ip.add.ress-0000021d Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “120” <120> 120 s from-sip-external SIP/my.ip.add.ress-0000021c Congestion 5 13 13 ANSWERED 3 1418694486
12/15/2014 17:48 “119” <119> 119 s from-sip-external SIP/my.ip.add.ress-0000021b Congestion 5 13 13 ANSWERED 3 1418694486

dicko · December 16, 2014, 7:30am

disallow sip guests and sip anonymous unless you need them

Overkill · December 16, 2014, 6:26pm

Also look into (in no particular order):

iptables
Fail2Ban
whitelisting port 5060
putting a ‘secret’ on every SIP device so users require a password on their phone to connect

Our cloud PBX gets hit several times a day with spam registrations; toll fraud is a major issue!