Trace Incoming SIP Calls

General Help
1

Hi All,

This afternoon we started experiencing the phones ringing twice and then disconnecting. It was happening about once every 6-8 minutes.

Finally getting a chance to look at the CDR report, I’m finding 32 entries that look like this:

Call Date Recording System CallerID Outbound CallerID DID App Destination Disposition Duration Userfield Account [url=http://samart.dns2go.com:81/admin/config.php?display=cdr&action=cel_show&uid=1397179973.147#CDR][img]http://samart.dns2go.com:81/admin/images/scrollup.gif[/img][/url] [url=http://samart.dns2go.com:81/admin/config.php?display=cdr&action=cel_show&uid=1397179973.147#Graph][img]http://samart.dns2go.com:81/admin/images/scrolldown.gif[/img][/url]
2014-04-10 17:14:55 [url=http://samart.dns2go.com:81/admin/config.php?display=cdr&action=cel_show&uid=1397168095.94]1397168095.94[/url] ">1002 Congestion s [from-sip-external] ANSWERED 00:13
2014-04-10 17:22:01 [url=http://samart.dns2go.com:81/admin/config.php?display=cdr&action=cel_show&uid=1397168521.95]1397168521.95[/url] ">1002 Congestion s [from-sip-external] ANSWERED 00:12
2014-04-10 17:28:45 [url=http://samart.dns2go.com:81/admin/config.php?display=cdr&action=cel_show&uid=1397168925.96]1397168925.96[/url] ">1002 Congestion s [from-sip-external] ANSWERED 00:13
First call at 17:14 and last call at 20:32, each one lasting 13 seconds. When I click thru to get the details, I get the following:
Time Event CNAM CNUM ANI DID AMA exten context App channel UserDefType EventExtra [url=http://samart.dns2go.com:81/admin/config.php?display=cdr&action=cel_show&uid=1397168095.94#CEL][img]http://samart.dns2go.com:81/admin/images/scrollup.gif[/img][/url]
2014-04-10 17:14:55 CHAN_START 1002 1002 DEFAULT +972544737596 from-sip-external SIP/192.168.1.3-0000003c
2014-04-10 17:14:55 ANSWER 1002 1002 1002 +972544737596 DEFAULT s from-sip-external Answer SIP/192.168.1.3-0000003c
2014-04-10 17:15:08 HANGUP 1002 1002 1002 +972544737596 DEFAULT h from-sip-external SIP/192.168.1.3-0000003c
2014-04-10 17:15:08 CHAN_END 1002 1002 1002 +972544737596 DEFAULT h from-sip-external SIP/192.168.1.3-0000003c
2014-04-10 17:15:08 LINKEDID_END 1002 1002 1002 +972544737596 DEFAULT h from-sip-external SIP/192.168.1.3-0000003c
I am not seeing any corresponding CDR records from my SIP provider. Anyone have any clues as to what's happening? Thanks, Westley
2

Someone is trying to hack your system

3

but intrigingly from a non routable address, what do you know about 192.168.1.3 ?

4

I am sure that is a NAT’d address. I would much rather see from a layer 3 perspective, some tcpdump would be gould. (note to OP for God’s sake if you are going to send some raw TCP data put it up at pastebin.ca and snarl at least 1800 bytes of each datagram)

Since you can embed Layer 3 address info in SIP messages people sometimes come to the conclusion that an IP has been spoofed. You really can’t spoof an IP since in order for the communications to be established Asterisk has to be able to send data back to the originator or else the transaction times out. (The dreaded audio drops in 30 seconds issue, a blind invite will connect a call but if nothing comes back it explodes).

It is also important to remember that UDP is stateless and has no connection or ack/nak arrangement like TCP.

I think I need to go get a tattoo of the OSI model.