TIPS PBX IS GETTING ATTACKED

P

paulhuynh

Member
Joined
Sep 21, 2009
Messages
57
Reaction score
0
I am get thousand of calls today from one of my DID through our sip provider from all 602 area code here is a example of my cdr. when we answer the call there is no one there and it just a quick hangup.


151. 2013-10-03 21:07:59 SIP/IDVIN-... 6023761544 "anonymous" <6023761544> 7001 ANSWERED 00:53
152. 2013-10-03 21:07:50 SIP/IDVIN-... 6023760582 "anonymous" <6023760582> 7001 ANSWERED 00:58
153. 2013-10-03 21:07:48 SIP/IDVIN-... 6024716540 "anonymous" <6024716540> 7001 ANSWERED 01:11
154. 2013-10-03 21:07:44 SIP/IDVIN-... 6023765085 "anonymous" <6023765085> 7001 ANSWERED 00:36
155. 2013-10-03 21:07:42 SIP/IDVIN-... 6023613441 "anonymous" <6023613441> 7001 ANSWERED 00:31
156. 2013-10-03 21:07:39 SIP/IDVIN-... 6023762156 "anonymous" <6023762156> 7001 ANSWERED 00:32
157. 2013-10-03 21:07:39 SIP/IDVIN-... 6027995336 "anonymous" <6027995336> 7001 ANSWERED 00:19
158. 2013-10-03 21:07:38 SIP/IDVIN-... 6023760885 "anonymous" <6023760885> 7001 ANSWERED 00:25
159. 2013-10-03 21:07:37 SIP/IDVIN-... 6023760103 "anonymous" <6023760103> 7001 ANSWERED 00:34
160. 2013-10-03 21:07:36 SIP/IDVIN-... 6023763300 "anonymous" <6023763300> 7001 ANSWERED 00:47
161. 2013-10-03 21:07:33 SIP/IDVIN-... 6023764402 "anonymous" <6023764402> 7001 ANSWERED 00:36
162. 2013-10-03 21:07:25 SIP/IDVIN-... 6023766293 "anonymous" <6023766293> 7001 ANSWERED 00:51
163. 2013-10-03 21:07:23 SIP/IDVIN-... 6023765541 "anonymous" <6023765541> 7001 ANSWERED 00:37
164. 2013-10-03 21:07:16 SIP/IDVIN-... 6023762509 "anonymous" <6023762509> 7001 ANSWERED 00:23
165. 2013-10-03 21:07:13 SIP/IDVIN-... 6023762619 "anonymous" <6023762619> 7001 ANSWERED 00:32
166. 2013-10-03 21:07:07 SIP/IDVIN-... 6023762217 "anonymous" <6023762217> 7001 ANSWERED 00:34
167. 2013-10-03 21:07:07 SIP/IDVIN-... 6023765085 "anonymous" <6023765085> 7001 ANSWERED 00:32
168. 2013-10-03 21:06:48 SIP/IDVIN-... 6023760644 "anonymous" <6023760644> 7001 ANSWERED 00:32
169. 2013-10-03 21:06:47 SIP/IDVIN-... 6023765482 "anonymous" <6023765482> 7001 ANSWERED 00:32
170. 2013-10-03 21:06:41 SIP/IDVIN-... 6023765777 "anonymous" <6023765777> 7001 ANSWERED 00:43
171. 2013-10-03 21:06:35 SIP/IDVIN-... 6023765085 "anonymous" <6023765085> 7001 ANSWERED 00:25
172. 2013-10-03 21:06:33 SIP/IDVIN-... 6023766294 "anonymous" <6023766294> 7001 ANSWERED 00:36
173. 2013-10-03 21:06:29 SIP/IDVIN-... 6023760318 "anonymous" <6023760318> 7001 ANSWERED 00:41
174. 2013-10-03 21:06:22 SIP/IDVIN-... 6023764272 "anonymous" <6023764272> 7001 ANSWERED 03:06
175. 2013-10-03 21:06:21 SIP/IDVIN-... 6022911583 "anonymous" <6022911583> s ANSWERED 00:14
Top
 
briankelly63

briankelly63

Guru
Joined
Nov 14, 2008
Messages
1,398
Reaction score
320
use this tool:

http://www.localcallingguide.com/lca_prefix.php

call the carriers, looks like verizon and sprint. Talk with supervisor or tech support. They will pursue them as nuisance calls. Keep in mind this may just be caller-id spoofing and in fact not coming from these carriers at all so you'll want to check for any IP information you can find in the logs or CLI.

You can temporarily route 602 calls to terminate. If you find an IP involved then you can block that.
 
P

paulhuynh

Member
Joined
Sep 21, 2009
Messages
57
Reaction score
0
they are coming from my carrier trunk so i cant stop it.

can i config inbound route or something to drop all call from 602 area code until i can have it fixed?

right now i have delete the did from my inbound but i keep getting this on my cli and it cost me a lot of money for inbound

-- Executing [7033763566@from-trunk:1] Set("SIP/IDVIN-00000070", "__FROM_DID=703376xxxx") in new stack
-- Executing [7033763566@from-trunk:2] NoOp("SIP/IDVIN-00000070", "Received an unknown call with DID set to 703376xxxx") in new stack
-- Executing [7033763566@from-trunk:3] Goto("SIP/IDVIN-00000070", "s|a2") in new stack
-- Goto (from-trunk,s,2)
-- Executing [s@from-trunk:2] Answer("SIP/IDVIN-00000070", "") in new stack
-- Executing [s@from-trunk:3] Wait("SIP/IDVIN-00000070", "2") in new stack
== Manager 'admin' logged off from 127.0.0.1
-- Executing [s@from-trunk:4] Playback("SIP/IDVIN-00000070", "ss-noservice") in new stack
-- <SIP/IDVIN-00000070> Playing 'ss-noservice' (language 'en')
== Parsing '/etc/asterisk/manager.conf': Found
== Parsing '/etc/asterisk/manager_additional.conf': Found
== Parsing '/etc/asterisk/manager_custom.conf': Found
== Manager 'admin' logged on from 127.0.0.1
-- Executing [s@from-trunk:5] SayAlpha("SIP/IDVIN-00000070", "703376xxxx") in new stack
-- <SIP/IDVIN-00000070> Playing 'digits/7' (language 'en')
-- <SIP/IDVIN-00000070> Playing 'digits/0' (language 'en')
== Manager 'admin' logged off from 127.0.0.1
== Spawn extension (from-trunk, s, 5) exited non-zero on 'SIP/IDVIN-00000070'
-- Executing [h@from-trunk:1] Macro("SIP/IDVIN-00000070", "hangupcall|") in new stack
-- Executing [s@macro-hangupcall:1] GotoIf("SIP/IDVIN-00000070", "1?skiprg") in new stack
-- Goto (macro-hangupcall,s,4)
-- Executing [s@macro-hangupcall:4] GotoIf("SIP/IDVIN-00000070", "1?skipblkvm") in new stack
-- Goto (macro-hangupcall,s,7)
-- Executing [s@macro-hangupcall:7] GotoIf("SIP/IDVIN-00000070", "1?theend") in new stack
-- Goto (macro-hangupcall,s,9)
-- Executing [s@macro-hangupcall:9] Hangup("SIP/IDVIN-00000070", "") in new stack
== Spawn extension (macro-hangupcall, s, 9) exited non-zero on 'SIP/IDVIN-00000070' in macro 'hangupcall'
== Spawn extension (from-trunk, h, 1) exited non-zero on 'SIP/IDVIN-00000070'
 
rossiv

rossiv

Guru
Joined
Oct 26, 2008
Messages
2,624
Reaction score
139
Add the did back and set the destination to Hangup.
 
briankelly63

briankelly63

Guru
Joined
Nov 14, 2008
Messages
1,398
Reaction score
320
You didn't mention who your provider is but most have a way to route particular DID's to somewhere besides your IP-trunk. That may be an option as long as it routes somewhere that doesn't result in a charge (like a Busy test number: 201-261-9970 or non-working number).
 
wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,206
Reaction score
5,229
Is it 602376 or 703376?? So long as you don't have any other incoming calls from numbers containing the numeric strings 602376 and 703376, you can add rules to IPtables with these commands:

Code: 
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "602376" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "703376" --algo bm

Or you could drop all anonymous calls by substituting anonymous for one of the numbers above. Keep in mind that you will never see these calls in your log!!!

These rules will get wiped out when you reboot your server which is probably long enough to make the jerks go elsewhere anyway!
 
leemason

leemason

Guru
Joined
Mar 3, 2012
Messages
207
Reaction score
24
Didn't know you could do that with iptables. Very useful!
 
You must log in or register to reply here.

Members online

No members online now.
Total: 99 (members: 0, guests: 99)

Latest Posts

Forum statistics

Threads
25,825
Messages
167,856
Members
19,250
Latest member
mark-curtis
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Top