System Attack

Hi All,

Someone attacked my system. My system is setup with a trunk that diverts calls to my mobile and my mobile has voicemail activated. How the attack happened: I received a call and on answering the diverted call I heard a automated response. Hung up the phone and I instantly had about 16 missed call notifications / voicemail messages. A few more seconds after hanging up and the same again. At this point I blocked the number, but the records show another 26 attempted calls were made but blocked. In all I had about 70 incoming calls in a space of two minutes from this number 443333440000.

Don’t know who, or sure why they did this - the only beneficiary seems to be the service provider. Any info about this and how best stop it would be welcome???

you can add it to blacklist.

Hi James, I have blocked the number but there must be a way to stop this from happening with any number?

I think there is no way to let people call in from your side.

I think there is some chan_sip bug that lets people somehow make asterisk make a call out on an unregistered extension. i’ve noticed one of our servers doing that. Changing to PJSIP fixes it.

Thought I read somewhere that they aren’t patching chan_sip anymore and focusing entirely on PJSIP

Another 36 attempted calls from the same number today.

Do you by any chance have ‘t’ enabled in your dial options?

Hi dicko, yes there is a Ttr in the Asterisk dial Options under Dialplan and Operational.

remove the ‘Tt’

1 Like

what is the t option? I see that Ttr is in the dial options often by default. I have no idea what they do.

It allows the caller to transfer to any arbitrary number by pressing ‘##’ while the channel is open

rasterisk -x ‘core show application dial’


Does the Tt Only apply to hitting ## and not any other freepbx features or transfer methods? I’ve considered disabling it to see what happens.

ASs I suggested

rasterisk -x ‘core show application dial’

look at the caveats for t and T

1 Like

There’s a ‘Disallow transfer features for inbound callers’ which is set to YES
Disallow transfer features (Normally ## and *2) for callers who passthrough inbound routes (Such as external callers)

That seems to be the default, with thats set to yes is it still necessary to remove the Tt ??

I can’t answer that as in this case the call is not from an inbound route, but from a forwarded call, pragmatically I would try it and see.

1 Like

Thanks for your time dicko, I’ll test it out.

@harrisp32 please post your results. Very interested in hearing the outcome of your situation.

Still getting these calls from 443333 440000 they coming from a company by the name of Another 60 calls in less than a minute.

But I’ve found out something about my system. I put the 443333 440000 in my blacklist on freepbx and even though the system hangs up on the calls my DiD provider still charges me for the calls. So I made a call from another phone to the same number that aql are calling on my system but sent the incoming call to another phone on my system that just rings and still my DiD provider charges for the call. So I’m charged just because someone rings that number even if unanswered.

But here’s the bit I don’t understand. Again I made a call from another phone to the same number that aql are calling on my system but with a difference, i sent the incoming call to my mobile without answering it. This time my DiD provider did NOT charge for the call unanswered call.

So any call passing through my system (forwarded) to my mobile is not charged by the DiD provider if unanswered!!

And any call that terminates in any way on my system, I’m charged by the DiD provider!!

My question is How does my DiD provider know that the call is not being passed out of my system to my mobile? Whats the difference between an unanswered call on my system and an unanswered call on my mobile?

How do you know it’s coming from AQL and have you tried to contacting them?

A few years ago we had an issue with someone trying to abuse our system, we found out where is was coming from, contact the ISP and they shut them down.

They will ask for details, generally logs are sufficient, they don’t want to shut down their customers with out really good proof.

To you question, if I recall, blocking a number is the same as answering the call and hanging up immediately after it’s answered.

I would grep out 4443333 from the full log and see the ip(s) where the invites are coming from, then permenantly drop such connections in your router/firewall , whatever you use.

grep 4443333 /var/log/asterisk/full|grep INVITE