SIP Spam filtering

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
I Plan to Stick Around
Posts: 30

SIP Spam filtering

I am trying to setup up a SIP line via SIP/IP trunk ports on my Nortel BCM50 Rls 6 phone system on my network.

I have forwared port 5060 in the Hiltron to my BCM's IP address and now getting hammered with bogus calls every 30 seconds where nobody is on the line.

I have not even registered/logged in with a SIP provider yet!

 

Is there some way to allow 5060 but only from a certian server, sipgate.co.uk in this case.

 

Residential Gateway is enabled

UPnP is enabled

 

 

Thanks

 

 

***edited labels***

______________________________________
Current Mobile: Samsung S8
Current Cable Modem: Hitron CGN3 Rocket
Current Home Phone Modem: Cisco DPC2203C
Dedication level: Same cell number since1988 (Cantel)
Resident Expert
Resident Expert
Posts: 13,948

Re: SIP Spam filtering

While i am usually pretty good with the nortel systems (well until they discontinued them 😞 ), i am not so familiar with the SIP end... i mostly have dealt with a digital PRI into them.

My wonder, is if those are calls at all? or are they something else just testing that port.. but being picked up as calls obviously by the system?

DIfferent modem, or even bridge mode, i dont think will MUCH help in this scenario.. if its something directed at your IP and that port specifically.



Resident Expert
Resident Expert
Posts: 6,145

Re: SIP Spam filtering

I wonder what you would find if you loaded Wireshark on a pc and hooked the pc into the modem port you are testing out.  I would think Wireshark would show whats arriving from the modem, which might give you further ideas of how to stop it.



I Plan to Stick Around
Posts: 30

Re: SIP Spam filtering

Well I get nobody on the line.

 

Caller ID Name and Number in monitor shows as example:

200 - 200 DNIS: 1197259232

or

200 - 200 DNIS:  0119725921

 

Soon as call gets answered by my mailbox (which no msg left, not even a blank one) I see on my display:

as100

or 200

or

admin

 

 

Currently trying to figure out wireshark and filtering right now , seems to be loading so many entries.....like 2000 in one minute so its too hard to pinpoint anything.

 

______________________________________
Current Mobile: Samsung S8
Current Cable Modem: Hitron CGN3 Rocket
Current Home Phone Modem: Cisco DPC2203C
Dedication level: Same cell number since1988 (Cantel)
Resident Expert
Resident Expert
Posts: 6,145

Re: SIP Spam filtering

You probably only need a few seconds of data recorded if the port is always trying to "ring " through.  Stop the recording and then you should be able to sort the data by event or port.  You can sort on the fly, but it sounds like its repetitive data. so a small data sample should suffice.



I Plan to Stick Around
Posts: 30

Re: SIP Spam filtering

Well I loaded a softphone on my PC and works fine so I gather no issues with the router.

 

 Thanks all

______________________________________
Current Mobile: Samsung S8
Current Cable Modem: Hitron CGN3 Rocket
Current Home Phone Modem: Cisco DPC2203C
Dedication level: Same cell number since1988 (Cantel)
I Plan to Stick Around
Posts: 11

Re: SIP Spam filtering

Hey Guys, 

 

my 2 cents, just a couple things

With most firewalls you should be able to create firewall policy that will block port activity excluding a certain ip/ip range.  Unfortunately I do not believe the Hitrons firewall is that flexible, as you are now getting into the territory of a small business class router (QOS, FIREWALL) or separate firewall (you can find used linux based firewalls for $20-$40 all over the place).

 

You shouldn't need to port foreword with UPnP (I would recommend the opposite, disabling UPnP and using your manual port forwarding as UPnP is usually exploited by virus activity to open ports).

 

I think the Hitron has an Awesome Wifi Broadcast (mine usually broadcasts -30db- -40db, which probably comes in at about 1watt but guessing) but when you are getting into the world of firewall exceptions, most would usually say bridge it and use a router with either more software or hardware options). 

 

I am on board with the other posters, where I’m not sure if the firewall exception would resolve the issue. Set-up some logging, find out where the traffic is coming from.  Wireshark is VERY OVERWHELMING when you first start with it...I remember making the exact same comment when I started, AMAZINGLY I had someone sit myself down for half an hour and show me the in's and out's....there is a reason it is the standard, don’t' worry about small data capture, use your filters, create custom filters, you can filter by SO MUCH, protocol/port/destination/exclusions. 

 

I'm not saying this is happening but it’s something to be aware of.  PBX's can be exploited if responding to port scans, the short of it, malicious activity hammers the port usually looking for your VM, then using maintenance proto's either set up FFW, or grab a line to call out to make long distance calls.  Does your SIP use TLS?

 

....now I’m just rambling, I hope this helps. 

 

Andrew

"I'm pretty sure someone legally changed my name ...Andrew FIX IT....that’s all i hear all day"

 

I Plan to Stick Around
Posts: 30

Re: SIP Spam filtering

Yes Hitron modems are not flexible.

 

I might just go Bridged Mode and get a Juniper Router.

 

I did disable UPnP, ports I had forwarded anyway.

 

Seems Wireshark is a chore to set it up to monitor another PC/Device on the network.

 

Does not look like TLS is supported by BCM.

 

 

But here is my update:

A SIP Polycom 670 telephone works fine just like the Softphone.

 

Sipgate finaly got back to me and they dont support PBX's, only single  SIP sets.

Nut here is their reply in which I understand ZERO of it....

 

We see the unusual SIP Contact 44956 in the registration of X-Lite (which is my softphone)

and we see the reserved/restricted port 1024 in the registration data of the BCM gateway.
The port 1024 or multiples of it usually indicate a problematic router SIP ALG or SPI Firewall

 

Thanks

 

 

 

 

 

 

 

 

 

 

______________________________________
Current Mobile: Samsung S8
Current Cable Modem: Hitron CGN3 Rocket
Current Home Phone Modem: Cisco DPC2203C
Dedication level: Same cell number since1988 (Cantel)