What's new

Phantom Phone Ringing! Only allow SIP traffic from a specific IP or range of IPs?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

the_townie

Occasional Visitor
Hey guys,

I have a Grandstream GXP2160 VOIP. It's setup using Asterisk through a local provider. I'm using an AC68U. For whatever reason, I've started getting phantom ringing (I literally get 50-60 "ghost" calls per day!). The phone IT person did some research and found that it's related to "sipvicious.org"

Here is the information that he gave me from their SIP provider:

Phantom Ringing and SipVicious

"Phantom Ringing" is a phenomenon where phones ring but if they are answered no one is there. Often the caller ID on these calls is something simple like 1000, even if there is no extension 1000 on the account.

The source of calls like this is usually a direct IP call (Invite) to the customer IP from a computer running an app like SipVicious in an attempt to exploit an unsecured SIP server. Since the Invites are not processed on the Cloud9Phone server there is no record of them in the Activity Report or the server logs. The Invites are usually sent on port 5060 because SIP servers, like SIP phones, talk on port 5060. Any phone registered on port 5060 at that IP will then ring in response to the Invite.

You can tell what port an extension uses on the WAN by clicking Show Details in the Extension detail page. About 2/3 of the way down you will see an entry with the IP and port of the extension such as Addr->IP: 75.100.75.100 Port 8580.

In many business applications, where several phones are registered from the same WAN IP, one phone will be registered externally on port 5060 and others at some other range, say 1020, 1021, 1022. The router in that case performs network address translation (NAT) to route the packets on the WAN side ports to the correct phones on the LAN side. A phantom call to port 5060 on the WAN side in this scenario will only ring the phone registered on 5060 externally and not the others. In a home user application where only one phone is registering from the LAN, the router will often allow that phone to register on 5060 on the WAN side.

The recommended fix for this is not to expose 5060 on the WAN side if possible, in one of the following ways:

Enable NAT in the router to force the phone to register an another port externally.

Configure the router to only allow SIP traffic from a specific IP (the White Label SIP server).

Configure the phone explicitly to use another port (if NAT is not used).

Unfortunately in many applications where a simple home router is involved methods 1 and 2 are not possible and method 3 does not work with all phones.

We are continuing to look for ways to mitigate these annoyance calls.

It should be noted that sipvicious is a legitimate service probe (an application that scans large numbers of network addresses looking for systems running a specific service), and that beyond the annoyance factor such probes offer no threat to the hosted phone user since they are not running a sip server, only a sip phone. More info can be found at sipvicious.org.


From above, I would fit in the "home user application." The IT guy said that typically they will just whitelist an entire range of IPs associated with the provider for the phone. I didn't see a way to list an entire range. If I use the Network Services Filter and enter the following:

Source IP: 192.168.100.101
Port Range: 5060
Destination IP: 8.20.94.76 (SIP Server)
Port Range: 5060 or left blank
Protocol: UDP

the phone will stay connected, but all other devices lose internet access.

Is there a way for me to only allow SIP traffic from a particular range of IPs? I have no experience in jffs, iptables, etc., but can relay the information to the IT guy.

Sorry for the LONG post. I hope one of you can help me get this sorted out. I'm about to lose my mind with this phone ringing. I had to turn the ringer off!

Thanks in advance!

-Chris
 
Last edited:
While we did not suffer from the "phantom ring" issue, we did have a call quality issue with out VOIP phones because the firewall was blocking some of the traffic. While this has not fixed all of the problems it has resolved most of them. If anyone with more knowledge has anything to add please do, as we are still dropping some of the packets, but using this firewall-start script has helped.

Step 1 make a basic firewall script.

In Notepad++ (I assume you are using windows) enter the following in to a new file:

#!/bin/sh

#Allow VOIP to come in!
iptables -A INPUT -s xxx.xxx.xx.xxx -j ACCEPT

Replace the x with your VOIP provider's ip.

Next select Edit, and go to "EOL Conversion" and select UNIX/OSX Format.

Save the file as firewall-start. When it asks what type of file select "all types"

Step 2 Upload script to the router.

First make sure you have a jffs partition enabled (found in the admin system tab). Also enable SSH (found in the admin system tab as well). Once these have been enabled and running log into the router using WinSCP (make sure to use SCP mode). Navigate to the /jffs/scripts folder and copy the firewall-start script there.

Step 3 enable the script and run it.

Using PuTTY log into your router and use the following commands:

chmod 777 /jffs/scripts/firewall-start
This will make the file rwx (open to be used, written, and read)

Then enter the following to start the script:

/jffs/scripts/firewall-start

Next restart the firewall to make the rule(s) take effect:

service restart_firewall

If anyone has anything to add, or if I am doing something wrong pleas let me know. I hope this helps with your issue.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top