Just an FYI to possibly save someone a few hours of time trying to resolve a remote SIP phone ringing at a remote worker’s home.
Had an issue where the worker took a phone home from work and after a day or two the phone would start ringing constantly, with no one on the other end.
Monitored and TCPDumped at the office PBX looking for any sign of hackers coming in through the firewall and could never find any evidence of suspicious activity.
After a few hours of searching, I looked at some logs on the phone and could see some hacker traffic arriving at the phone, and causing it to ring.
Turns out SIP-ALG was enabled on the home user’s local router was setting up a helper for the SIP traffic and decided to send the hacker off to the phone. Turned off SIP-ALG and the calls stopped. To confirm the theory, I turned it back on and the hacker calls started up again.
I believe the term for this is NAT Slipstreaming.
Hopefully this will be helpful for someone.