the_townie
Occasional Visitor
Hey guys,
I have a Grandstream GXP2160 VOIP. It's setup using Asterisk through a local provider. I'm using an AC68U. For whatever reason, I've started getting phantom ringing (I literally get 50-60 "ghost" calls per day!). The phone IT person did some research and found that it's related to "sipvicious.org"
Here is the information that he gave me from their SIP provider:
Phantom Ringing and SipVicious
"Phantom Ringing" is a phenomenon where phones ring but if they are answered no one is there. Often the caller ID on these calls is something simple like 1000, even if there is no extension 1000 on the account.
The source of calls like this is usually a direct IP call (Invite) to the customer IP from a computer running an app like SipVicious in an attempt to exploit an unsecured SIP server. Since the Invites are not processed on the Cloud9Phone server there is no record of them in the Activity Report or the server logs. The Invites are usually sent on port 5060 because SIP servers, like SIP phones, talk on port 5060. Any phone registered on port 5060 at that IP will then ring in response to the Invite.
You can tell what port an extension uses on the WAN by clicking Show Details in the Extension detail page. About 2/3 of the way down you will see an entry with the IP and port of the extension such as Addr->IP: 75.100.75.100 Port 8580.
In many business applications, where several phones are registered from the same WAN IP, one phone will be registered externally on port 5060 and others at some other range, say 1020, 1021, 1022. The router in that case performs network address translation (NAT) to route the packets on the WAN side ports to the correct phones on the LAN side. A phantom call to port 5060 on the WAN side in this scenario will only ring the phone registered on 5060 externally and not the others. In a home user application where only one phone is registering from the LAN, the router will often allow that phone to register on 5060 on the WAN side.
The recommended fix for this is not to expose 5060 on the WAN side if possible, in one of the following ways:
Enable NAT in the router to force the phone to register an another port externally.
Configure the router to only allow SIP traffic from a specific IP (the White Label SIP server).
Configure the phone explicitly to use another port (if NAT is not used).
Unfortunately in many applications where a simple home router is involved methods 1 and 2 are not possible and method 3 does not work with all phones.
We are continuing to look for ways to mitigate these annoyance calls.
It should be noted that sipvicious is a legitimate service probe (an application that scans large numbers of network addresses looking for systems running a specific service), and that beyond the annoyance factor such probes offer no threat to the hosted phone user since they are not running a sip server, only a sip phone. More info can be found at sipvicious.org.
From above, I would fit in the "home user application." The IT guy said that typically they will just whitelist an entire range of IPs associated with the provider for the phone. I didn't see a way to list an entire range. If I use the Network Services Filter and enter the following:
Source IP: 192.168.100.101
Port Range: 5060
Destination IP: 8.20.94.76 (SIP Server)
Port Range: 5060 or left blank
Protocol: UDP
the phone will stay connected, but all other devices lose internet access.
Is there a way for me to only allow SIP traffic from a particular range of IPs? I have no experience in jffs, iptables, etc., but can relay the information to the IT guy.
Sorry for the LONG post. I hope one of you can help me get this sorted out. I'm about to lose my mind with this phone ringing. I had to turn the ringer off!
Thanks in advance!
-Chris
I have a Grandstream GXP2160 VOIP. It's setup using Asterisk through a local provider. I'm using an AC68U. For whatever reason, I've started getting phantom ringing (I literally get 50-60 "ghost" calls per day!). The phone IT person did some research and found that it's related to "sipvicious.org"
Here is the information that he gave me from their SIP provider:
Phantom Ringing and SipVicious
"Phantom Ringing" is a phenomenon where phones ring but if they are answered no one is there. Often the caller ID on these calls is something simple like 1000, even if there is no extension 1000 on the account.
The source of calls like this is usually a direct IP call (Invite) to the customer IP from a computer running an app like SipVicious in an attempt to exploit an unsecured SIP server. Since the Invites are not processed on the Cloud9Phone server there is no record of them in the Activity Report or the server logs. The Invites are usually sent on port 5060 because SIP servers, like SIP phones, talk on port 5060. Any phone registered on port 5060 at that IP will then ring in response to the Invite.
You can tell what port an extension uses on the WAN by clicking Show Details in the Extension detail page. About 2/3 of the way down you will see an entry with the IP and port of the extension such as Addr->IP: 75.100.75.100 Port 8580.
In many business applications, where several phones are registered from the same WAN IP, one phone will be registered externally on port 5060 and others at some other range, say 1020, 1021, 1022. The router in that case performs network address translation (NAT) to route the packets on the WAN side ports to the correct phones on the LAN side. A phantom call to port 5060 on the WAN side in this scenario will only ring the phone registered on 5060 externally and not the others. In a home user application where only one phone is registering from the LAN, the router will often allow that phone to register on 5060 on the WAN side.
The recommended fix for this is not to expose 5060 on the WAN side if possible, in one of the following ways:
Enable NAT in the router to force the phone to register an another port externally.
Configure the router to only allow SIP traffic from a specific IP (the White Label SIP server).
Configure the phone explicitly to use another port (if NAT is not used).
Unfortunately in many applications where a simple home router is involved methods 1 and 2 are not possible and method 3 does not work with all phones.
We are continuing to look for ways to mitigate these annoyance calls.
It should be noted that sipvicious is a legitimate service probe (an application that scans large numbers of network addresses looking for systems running a specific service), and that beyond the annoyance factor such probes offer no threat to the hosted phone user since they are not running a sip server, only a sip phone. More info can be found at sipvicious.org.
From above, I would fit in the "home user application." The IT guy said that typically they will just whitelist an entire range of IPs associated with the provider for the phone. I didn't see a way to list an entire range. If I use the Network Services Filter and enter the following:
Source IP: 192.168.100.101
Port Range: 5060
Destination IP: 8.20.94.76 (SIP Server)
Port Range: 5060 or left blank
Protocol: UDP
the phone will stay connected, but all other devices lose internet access.
Is there a way for me to only allow SIP traffic from a particular range of IPs? I have no experience in jffs, iptables, etc., but can relay the information to the IT guy.
Sorry for the LONG post. I hope one of you can help me get this sorted out. I'm about to lose my mind with this phone ringing. I had to turn the ringer off!
Thanks in advance!
-Chris
Last edited:
