cancel
Showing results for 
Search instead for 
Did you mean: 

SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

vanhalen26
I Plan to Stick Around

Hello.  I just signed up with Ignite 3 days ago, and have had 3 successive nights of SIP scanner attacks.  I never had these with my old smaller ISP, so Rogers internet must be much more fertile ground for these hackers.  I'm using the new CGN3ACMR modem. 

 

I use an Obi100 ATA.  Anyone have any idea what to do?  If I can't fix it, I might drop Rogers and stay with my old ISP ... my home phone is costing me under $30 a year through a VOIP provider, it has been excellent service for years, and if I have to drop it and switch to a land line, it would be a huge price increase.  

 

I don't know if I need to change router settings to stop this or ATA settings.  Having spoken to Rogers support re: the modem shipping with old firmware and having them insist that my out-dated firmware was current, I don't think I'll get anywhere or anything useful out of calling them - as this seems somewhat complex to solve and outside of their normal realm of issues I suspect.  I sadly have this little faith in them after only one interaction already. 

 

***Edit Labels***

14 REPLIES 14

Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

RogersMaude
Moderator
Moderator

Good afternoon @vanhalen26,

 

Thank you for your post.

 

Sorry for your ongoing issues with your VOIP.

 

If you have been using the modem in question, for more than 72 hours since the activation, and your firmware has not yet been updated, please send a PM to @CommunityHelps with your :

  • Cable account reference number(12 digits beginning with “2”)
  • MAC address of modem (12 digits found on the back of your Hitron modem)

 

Anybody in the Community can help @vanhalen26 with more information on SIP scanner attacks?

 

@Datalink & @Gdkitty feel free to chime in!

 

RogersMaude

Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

vanhalen26
I Plan to Stick Around

Thanks.  The firmware updated last night, but an SIP scanner attack is more ATA/Modem/ISP vs. modem firmware from what I have read.  It can happen to any ISP, but the larger ones provide better targets I assume. 

 

I'm guessing the fix probably has to do with port changes in the modem or settings changes in the ATAs, but I'm not savvy enoungh to know what I should change and probably need an experienced technical person to help answer. 

 

I wonder if others have experienced this to or just me.  I never had this with my old ISP and I've been on VOIP for years, but this began day 1 with Rogers just 3 days ago.

 

I did close my VOIP ports this AM to see if that makes a difference, but did as I was running out the door so I don't know if that worked and I also don't know if it impacted my ability to make or receive calls.  I'll check this evening.   

Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

Datalink
Resident Expert
Resident Expert

Thinking aloud at this point, usually there is a SIP/ALG modem setting for VOIP devices that requires flipping.  Its not accessible by the end user so Tech support has to do that.  For some reason, people have been directed to Techxpert to have that done, which is an additional cost.  The Tech Support CSRs are able to access that setting and change it as required.  There is no reason, as far as I am concerned to redirect a customer to a paying service to flip a setting that has been declared user inaccessible by the same company. 

 

I don't know if the SIP/ALG is enabled or disabled to start, but I suspect that its enabled, which should normally prevent a VOIP device from working.  So if that is the case, I'm wondering why you would see indications of SIP scanning.   Please have a  look at the link below regarding the SIP ALG setting.    Call Tech Support or pm @CommunityHelps if Tech Support refuses to disable the SIP ALG.  Once that is done, confirm that any port forwarding rules are set and save them once again if they are wiped out by the update, reboot the modem and then test the phone.

 

http://www.voip-info.org/wiki/view/Routers+SIP+ALG

 



Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

As usual @Datalink, your help is much appreciated !

 

It would be our pleasure to further assist if needed Smiley Happy

 

RogersMaude

Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

vanhalen26
I Plan to Stick Around

Thanks @Datalink

 

My VOIP works, the problem is I am being subjected to SIP scanner attacks.  From what I can find in google, its a brute force type attack that tries to gain my login/pass for my ATA.  How I discovered this is our phone keeps ringing in the middle of the night, but no calls show up in my voip caller log ... ie the brute force attack bypasses the provider and comes straight through the modem to the ATA. 

 

I am far from technical, but do my best through google ... from what you suggest, I don't think that would impact as my VOIP does work.

 

Again - I never had this issue with my old ISP, but had from day 1 (only installed Tuesday) with Rogers - so somehow it must be tied to the new service.  Other info - my modem arrived with the old firmware and the VOIP did not work, but the firmware updated last night to the current and I rebooted the VOIP and it worked immediately.  Both before the update and after the update these random phone calls through the night had been occuring. 

 

As above, I closed my VOIP ports this morning, hopefully that resolved.  I'll do more trouble shooting tonight ... my VOIP provider also gave some trouble shooting tips as they have seen this many times.    I can provide them here for others, however I suppose I'm not supposed to list tips from or name a Rogers competitor so I will just report back if it worked and if it does I can edit out the provider and post in case others have the same problem down the road. 

Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

Let us know what you find and also if you need any help 🙂  I'm surprised that it works without calling in to change the SIP ALG setting, but I wonder what will happen if you do have it flipped?



Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

vanhalen26
I Plan to Stick Around

Will do ... I might disappear for a week, I will be on a business trip so if I don't figure it out I will deal with it when I get back (and will deal with my family yelling at me about a phone that kept ringing at random times while I was gone!).

Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

You're going to be a popular guy.  Might require some big time "making up" for the annoyance when you return 🙂



Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

hey @Datalink aren't SIP attacks based on the IP itself?
Changing the IP would resolve issue no? - Only reason it doesn't release it is because of VOIP constantly on?

Just curious to understand this, I have read up on SIP attacks but not fully versed like yourself.

Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!


@ShakTib wrote:
hey @Datalink aren't SIP attacks based on the IP itself?
Changing the IP would resolve issue no? - Only reason it doesn't release it is because of VOIP constantly on?

Just curious to understand this, I have read up on SIP attacks but not fully versed like yourself.

No. There are people out there constantly scanning Rogers network block looking for vulnerable devices. Changing the IP would give him a few hours at most. I am always amazed to see how much the Rogers network is bombarded looking at my SNORT logs.

 

OP,

Closing the ports should resolve the issue. The older firmware had major NAT issues with port allocation so some ports had to be opened permanently (permanently openning ports is usually not a good idea, mkay). If that doesn't work, then a third party router that offers better security features is highly recommended.

Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

Oooh okay 🙂
I know barely much about networking. Its a world of wonders.

So closing as in securing the ports? or closing as in terminating it all together?

Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

@ShakTiburon

Computer networks can be loads of fun to learn once you get your head around IPs, subnets and a few of the protocols (TCP, UDP, ICMP, etc). I know very little myself but enjoys tinkering and figuring things out.

 

Closing as in securing the ports.

Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

Ah cool cool. Just wanted to get clarification. 🙂
Thanks @kr6

Re: SIP Scanner Attack on my VOIP using Ignite CGN3ACSMR – Please help!

I figured this out after very annoying calls. I did notice this problem after I switched from vmedia to Rogers.  

 

You can do this many ways but here's what I found to be the best method.  

 

Find a old or cheap router. 

Assign a static Ip by Mac address to your secondary router.  

If your current configuration is 192.168.0.1 change the network on the second router to 192.168.1.1 

This is to separate the networks and if you need to trouble shoot you would need to connect to your second router. 

 

I disabled wifi but you don't have to. 

My router (flashed with ddwrt had a firewall) 

Make sure firewall is enabled and

Now since there's many hops involved the sip sniffing would most likely not ever hit your voip. 

 

I am useing a obi I was them able to configure on the Web.  

 

This works something with the Rogers router, allows the sip to be scanned.  

 

It's not a Rogers people it's just the way these hackers program their bots. 

Topic Stats
  • 14 replies
  • 2578 views
  • 1 Like
  • 6 in conversation