Many "congestion" calls in cdr

Was checking the CDRs and saw a lot of “congestion” calls.

what is this and why is it happening?
in the CDR report it has dozens per hour of records with:
APP=congestion, Destination=$(from-sip-external) , disposition=Answered, duration=12

nobody has an explanation for this? A hint?

Is your system exposed to the Internet? These are probably attempts at hacking into you system.

It is “exposed” although behind a firewall.

the calls are all from callerID 100 and destination is “s [from-sip-external]”

I am going to assume that you have TCP 5060 and UDP 10000-20000 forwarded inbound. I am also going to assume that you are allowing any source address in on TCP 5060. This is the problem. If you allow TCP 5060 in from any source it is almost like having no firewall at all. I would suggest you tighten up the firewall rules for TCP 5060. Make sure you are using strong passwords too.


Yes, your assumptions are correct. And now I understand that these are hacking attempts or at least if they aren’t, I’m open to them.

The problem I have is how to handle remote phones, on dynamic IP’s that need to register to the PBX? Employees that “work from home” etc…

any suggestions?

don’t use UDP/5060 ?

Yes, that’s the obvious fix but is it enough? Obviously no solutions is perfect without static IP’s on all ends…

what of the RTP ports 10000-20000, any danger in leaving those as is?

you can limit your allowed networks to the smallest set of the smallest networks that whois (each of your host returns , most hosts will stay within a small network due to how dhcp networks are configured so timewarner in a city will always award within that network. not a perfect recipe but pragmatic and doable

no problem with your RPT range and not currently a risk, but do you really expect 5000 concurrent calls?

yeah I had thought of limiting the subnets as a simple compromise.

do I expect 5000 calls, no. I just hadn’t looked into the rtp port issues enough to know if setting it to something much less would cause an issue. I assumed being that it is just the channels that carry the audio it was of little risk though.

thanks for the reply!!

A VPN provides the best security. Almost every router today can create an IPSEC tunnel.

yes, thought of that too however these aren’t the most tech savvy users and I’m tryin to keep it all as transparent and basic as possible.

A VPN is completely transparent to the users and gives the added benefit of accessing office resources.

If you have actual roamers - Remote users whose IP’s change frequently so that you can’t just restrict which IP’s are allowed, and VPN is not an option, then this is the next best thing. Also, turn off Anonymous Inbound Calls (Under SIP Settings).