QUESTION SIP.US and RTP port forwarding

Johann

Member
Joined
Feb 1, 2015
Messages
30
Reaction score
4
We would like to get a few SIP trunks for our PIAF box and have looked at sip.us. Our main concern though is that on your firewall you have to leave RTP ports open to the internet at large.
At least that is what they are saying on their website.
I can lock down UDP-5060 and allow traffic only from sip.us domain name, so that is good.

With RTP I can't do that they say, cause they release the media on all calls to the closest carrier media gateway.

Now what are the implications of that in terms of security.
Potential DoS attacks?
More?

Thanks.
 

atsak

Guru
Joined
Sep 7, 2009
Messages
2,381
Reaction score
436
I have had RTP open for the better part of 3 or 4 years now on all my servers (10 to 20,000, RTP only) without incident thus far. The only time I have gotten into trouble is when 5060 is open.

DoS is always possible but the port does not need to be open for that :)
 

rentpbx

Guru
Joined
Nov 2, 2010
Messages
109
Reaction score
16
From experience, we can confirm atsak observation. We have not seen issue opening RTP port to public.

From theoretical perspective, here is what our understanding about SIP and RTP protocol. There should be no process listening to RTP ports range when there is no established SIP session. When a box received a RTP packet on which there is no listener, if any, the processing time needed to respond to such packet by Linux kernel is negligible. There should be no issue in this case. Perhaps, a DoS attack can happen on an active RTP session because Asterisk will obviously listening on that port. However, a good SIP negotiation should use two random RTP ports from the RTP port range on each call sessions. Therefore, it will be really hard for a potential hacker to guess and perform DoS on an active RTP session.


Another form of DoS is to flood a box with RTP traffics up to the physical capacity of the box network card. Blocking this type of DoS with iptables is not effective. This is totally different type of DoS and require different solution.
 

JayG30

Member
Joined
Jan 30, 2014
Messages
64
Reaction score
5
Will echo the above info.
I use SIP.US for my unlimited trunking. They have been rock solid for over 2 years of service now.
Hardware firewall configured to allow port forwarding for UDP ports 10000-20000 to your PBX.
As for the 5060 port, my experience has been that forwarding it isn't necessary with my router/firewall (ubiquiti edgerouter line). If I had to open the 5060 port I would limit it to the SIP.US server IP addresses on my firewall (I don't know any way to define domain names in a firewall personally, only IP addresses). SIP.US provided them to me when I asked via the ticketing system.
 

Members online

No members online now.

Forum statistics

Threads
25,781
Messages
167,507
Members
19,201
Latest member
troutpocket
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top