OpenCNAM multiple queries?

mickier · October 8, 2020, 12:10pm

About 3 months ago I set up my phone switch Asterisk 14 (FreePBX distro). I configured OpenCNAM and deposited about $20 in my account there. Things worked well for about a month - and then I noticed inbound calls were “unknown caller” - so I logged onto OpenCNAM and my account was ZERO - crazy since we receive 20 calls a day max… so I contacted their support and they sent me a log showing that they had received over 4200 CID queries for the same phone number from my switch - all in just a few minutes - often multiple times per second second - all queries do show they came from MY IP – it ran my account out of funds…

I don’t know what to do or how to proceed because I don’t think I dare to put more $$ on my opencnam account - probably get the same results eventually…(!)

I’m attaching a portion of the logs from OpenCNAM (I truncated my IP address to the first two Octects)

Is this some type of attack on my server? or a bug?

|2020-09-22T14:42:32.294118Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:32.33158Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:32.766641Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:32.900151Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:33.345303Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:33.510992Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:33.796973Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:33.846779Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:34.035006Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:34.330995Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:34.397234Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:34.570017Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:35.043857Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:35.052534Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:35.206165Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:35.501251Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:35.631401Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:35.773389Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:35.859477Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:36.27101Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:36.447661Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:36.842261Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:37.066537Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:37.477879Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:37.613177Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:37.615562Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:38.101694Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:38.209307Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:38.425624Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:38.674656Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:38.811503Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:38.842892Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:39.000042Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:39.33882Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:39.458769Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:39.652945Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:40.032133Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:40.31634Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:40.636062Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:40.68748Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:40.78466Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:40.946355Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:41.2373Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:41.370846Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:41.485255Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:41.824076Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:41.869092Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:41.913633Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:42.003949Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:42.064594Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:42.435937Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:42.460471Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:42.569933Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:42.618279Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:42.767679Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:43.101668Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:43.248871Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:43.721368Z|14842911195|Ip 209.23…|0.0048|200|pbx|
|2020-09-22T14:42:43.803393Z|14842911195|Ip 209.23…|0.0048|200|pbx|

lgaetz · October 8, 2020, 12:16pm

It doesn’t have the look of an attack, but you need to locate the corresponding log entries for one of these calls from the asterisk full log for more detail. Unfortunately you probably only have 7 days worth of full logs, so if the calls are prior to that you can only work with what shows in the CDR/CEL.

mickier · October 8, 2020, 12:35pm

thanks for your quick response Lorne,

I was on another install and couldn’t get onto it until now… I have to presume that calls must have been coming in from 4842911195 - over and over - I have checked logs and that hasn’t been happening at least in the last 7 days. I’ll put another $10 on OpenCNAM and watch.

sorvani · October 8, 2020, 2:11pm

Are you using CallerID Lookup Sources or CID Superfecta.

Both have a “Cache” setting. I prefer CID Superfecta as it is much more flexible.

mickier · October 8, 2020, 3:15pm

Ya I turned cache on after the “issue” - figured that would likely help a lot!
(I’m using CallerID Lookup Sources, not Superfecta)

lgaetz · October 8, 2020, 3:34pm

There was a thread within the last few months about CallerID lookup and caching where it was discovered that the names were being cached, but the cache was not being checked on subsequent lookups. Superfecta works better in this regard.

sorvani · October 8, 2020, 3:43pm

If you change to Superfecta, don’t miss clicking the wrenches to set everything up.

And then go change your inbound routes to use it.

mickier · October 16, 2020, 11:49am

Thank you everyone for your responses… I will set it up this way. Thanks especially for the tips Jared!

Sorry i missed seeing these posts - been on another server project all week.

This is a GREAT community!

system · November 16, 2020, 11:49am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.