QUESTION Keep getting hammered with anonymous SIP connections

simplydrew

Member
Joined
Feb 19, 2012
Messages
92
Reaction score
4
One of my PIAF VPS' that I'm using for a few remote phones to connect to is getting hammered from every IP imaginable, and they haven't given up since the box has come online. Fail2ban is blocking the IPs, but the attacker is changing them on almost every attempt. Excerpt from one attempt that shows in the Asterisk CLI:

Code:
    -- Executing [93011972595450358@from-sip-external:1] NoOp("SIP/MY-VPS-IP-00003472", "Received incoming SIP connection from unknown peer to 93011972595450358") in new stack
    -- Executing [93011972595450358@from-sip-external:2] Set("SIP/MY-VPS-IP-00003472", "DID=93011972595450358") in new stack
    -- Executing [93011972595450358@from-sip-external:3] Goto("SIP/MY-VPS-IP-00003472", "s,1") in new stack
    -- Goto (from-sip-external,s,1)
    -- Executing [s@from-sip-external:1] GotoIf("SIP/MY-VPS-IP-00003472", "0?checklang:noanonymous") in new stack
    -- Goto (from-sip-external,s,5)
    -- Executing [s@from-sip-external:5] Set("SIP/MY-VPS-IP-00003472", "TIMEOUT(absolute)=15") in new stack
    -- Channel will hangup at 2015-08-30 01:45:34.901 UTC.
    -- Executing [s@from-sip-external:6] Log("SIP/MY-VPS-IP-00003472", "WARNING,"Rejecting unknown SIP connection from 212.83.134.100"") in new stack
[2015-08-30 01:45:19] WARNING[10480][C-000033a9]: Ext. s:6 @ from-sip-external: "Rejecting unknown SIP connection from 212.83.134.100"
    -- Executing [s@from-sip-external:7] Answer("SIP/MY-VPS-IP-00003472", "") in new stack
[2015-08-30 01:45:20] WARNING[6833]: chan_sip.c:4020 retrans_pkt: Retransmission timeout reached on transmission 8cd663c7af0929c04b8c5d6d36c506e1 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
    -- Executing [s@from-sip-external:8] Wait("SIP/MY-VPS-IP-00003472", "2") in new stack
    -- Executing [s@from-sip-external:9] Playback("SIP/MY-VPS-IP-00003472", "ss-noservice") in new stack
    -- <SIP/MY-VPS-IP-00003472> Playing 'ss-noservice.gsm' (language 'en')
    -- Executing [s@from-sip-external:10] PlayTones("SIP/MY-VPS-IP-00003472", "congestion") in new stack
    -- Executing [s@from-sip-external:11] Congestion("SIP/MY-VPS-IP-00003472", "5") in new stack
  == Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/MY-VPS-IP-00003472'
    -- Executing [h@from-sip-external:1] Hangup("SIP/MY-VPS-IP-00003472", "") in new stack
  == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/MY-VPS-IP-00003472'
[2015-08-30 01:45:51] WARNING[6833]: chan_sip.c:4020 retrans_pkt: Retransmission timeout reached on transmission fb9d32384b70d81a7b543ea86447332e for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32001ms with no response

I have iptables locked down to only allowing my VOIP provider's IP addresses and the location of the remote phone's WAN IP, restarted iptables, but am still getting these inbound attempts. I also have confirmed that I have "anonymous SIP connections" set to the default of "no" in "Asterisk SIP Settings".

What can I do now? This is throwing off my reporting significantly in the CDR, as I have hundreds upon hundreds of call rejections within in - so this is getting bad.
 

atsak

Guru
Joined
Sep 7, 2009
Messages
2,381
Reaction score
436
You have another rule that is permitting SIP connections in your iptables. So you have the permit rule for your carrier and your end users, but you must have left a default rule that allows all port 5060 connections.

Remove it.
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

Here is part of your problem as well:

Code:
    -- Executing [s@from-sip-external:8] Wait("SIP/MY-VPS-IP-00003472", "2") in new stack
    -- Executing [s@from-sip-external:9] Playback("SIP/MY-VPS-IP-00003472", "ss-noservice") in new stack
    -- <SIP/MY-VPS-IP-00003472> Playing 'ss-noservice.gsm' (language 'en')
    -- Executing [s@from-sip-external:10] PlayTones("SIP/MY-VPS-IP-00003472", "congestion") in new stack
    -- Executing [s@from-sip-external:11] Congestion("SIP/MY-VPS-IP-00003472", "5") in new stack

You have set anonymous SIP calls to disallowed, this answers each and every call, then plays a message "Sorry this number is not in service". I'd argue this is not a good way to deal with calls that you don't want.

I'd suggest that you should send the calls to congestion and not answer them at all, let alone play a message.

To achieve this, ensure you have every DID you own entered into inbound routes, add a new route with the string _. as the DID, and send the call to straight to congestion, then set allow anonymous sip calls to yes.

Thus, if someone knows your number, then your phone rings, if they don't then they are disconnected immediately, and you don't end up with thousands of useless CDR.

Joe

PS I'd agree with atsak as well
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top