Repeatedly Getting Calls from "101"

[PainCourt]

Hello ... my mother and I both have a Freephoneline. She reports that she repeatly gets call from "101", and when she picks up, there is no one there.

I did a Google search on the number and found the issue is due to a "script kiddies running tools looking for insecure voip services." Anyone know what this is? Is there anyway, I can prevent this?

We both have a DD-WRT router and the Grandstream HT-286 ATA. Thanks!

[tbrummell]

Don't forward port 5060 from your router to your ATA.

[PainCourt]

tbrummell ... been reluctant to try what was suggested by you, since the information I gathered from this forum, was that you are suppose to port forward 5060, 5061, 6060, 6061, 13000 and 13001. What will happen when I don't forward port 5060. Sorry for the hesitation, as it took us a long time to get to this point (THANK YOU ALL FROM THIS FORUM). As I mentioned, we are running a DD-WRT router and the port forwarding is done under port range forwarding and all port forwarding is pointed to the IP address of the ATA.

[PainCourt]

OK ... I've been searching Google on port forwarding of 5060 and it seems that, port forwarding this is a BAD idea, as it is a well known port by hackers. I am a little bit confuse, here's why :

I've read over and over on how important it is to port 5060-5061, 6060-6061 and 13000-13001 to get good call quality, both in and out, on this forum. And then after investigating these "unkown calls", from caller ID 101, I found that this MAY have been caused by port forwarding 5060 to the ATA. Apparently, hackers has breached our ATA and evidence of this is shown by my mom receiving these "unknown calls" that DOES NOT SHOW in the Freephoneline call log.

Does anyone know what affect will "not forwarding" port 5060 do? What about the other ports?
Does any one know if there is any other alternatives?

I've read somewhere that you can specifically allow certain IP address into port 5060 through DD-WRT'ed routers :
a. does anyone know how to do this or point me in the right direction
b. also, there was warning that if the provider (Freephoneline) changes the IP address, I would have to change mine. I don't mine doing this, but how will I know ahead of time, without having to pick up the phone one day and hearing no dial tone?

PLEASE HELP ... My mom is still getting these random calls. She has gotten into the habit of turning her phone off at night I am worry that this will soon happen to me ...

[FONGO_steve]

Most ATAs have the option to disallow direct IP dialling - if you simply disable that ability then you can leave the port forwarding setup as is. All our ATAs configured in the recent year or so ship with this option disabled so we can be proactive against preventing these types of calls.

[TheHardy]

Most ATAs have the option to disallow direct IP dialling - if you simply disable that ability then you can leave the port forwarding setup as is. All our ATAs configured in the recent year or so ship with this option disabled so we can be proactive against preventing these types of calls.

Is that a 100% "close the back door" solution to the problem?

[PainCourt]

Fongo_steve ... thank you. My mother and I both have the HT286, which is the same one sold by Freephoneline. I did not see an option on the Grandstream menu to do what you mentioned ...

"All our ATAs configured in the recent year or so ship with this option disabled so we can be proactive against preventing these types of calls."

Is it possible you can point me int he right direction for this option on the Grandstream HT-286 ATA?

Thank you in advance.

[FONGO_steve]

Fongo_steve ... thank you. My mother and I both have the HT286, which is the same one sold by Freephoneline. I did not see an option on the Grandstream menu to do what you mentioned ...

"All our ATAs configured in the recent year or so ship with this option disabled so we can be proactive against preventing these types of calls."

Is it possible you can point me int he right direction for this option on the Grandstream HT-286 ATA?

Thank you in advance.

In the Grandstream the exact name is:
"Allow Incoming SIP Messages from SIP Proxy Only"

and you'll want to set it to "Yes (no direct IP calling if Yes)"

[PainCourt]

In the Grandstream the exact name is:
"Allow Incoming SIP Messages from SIP Proxy Only"

and you'll want to set it to "Yes (no direct IP calling if Yes)"

Fongo_steve ... thank you. "Allow Incoming SIP Messages from SIP Proxy Only" has been set to YES. Since there is no option for "No Direct IP Calling" on the Grandstream HT 286, does that mean when "Allow Incoming SIP Messages from SIP Proxy Only" is set to YES, does it mean that "No Direct IP Calling" is set to YES too?

MANY MANY MANY THANKS!!!!!

[FONGO_steve]

In the Grandstream the exact name is:
"Allow Incoming SIP Messages from SIP Proxy Only"

and you'll want to set it to "Yes (no direct IP calling if Yes)"

Fongo_steve ... thank you. "Allow Incoming SIP Messages from SIP Proxy Only" has been set to YES. Since there is no option for "No Direct IP Calling" on the Grandstream HT 286, does that mean when "Allow Incoming SIP Messages from SIP Proxy Only" is set to YES, does it mean that "No Direct IP Calling" is set to YES too?

MANY MANY MANY THANKS!!!!!

You are correct! The "not direct IP calling" bit is just mentioned in brackets after the "yes" option in the GUI. The name of the actual setting is "Allow Incoming SIP Messages from SIP Proxy Only". So once you set that to yes, it will disable direct IP calling which is what a lot of the script kiddies will use to try and annoy VOIP users with opened ports

[PainCourt]

Fongo_steve ... thank you.

[TheHardy]

Fongo_steve ... thank you.

Please advise if this halts the spurious calls. I for one am interested to find out!

[PainCourt]

Day 1 in ... so far so good. Will try to report back in a week or so.

[TheHardy]

Good --- I will await results. This then should be added to the FAQ, if it is not already there, as it would seem to be a simple fix to a rather glaring potential security problem. I assume you will also let us know if this tweak has any unintended side affects!

[tbrummell]

hardy, it's not a "glaring potential security problem", it's a problem in the SIP protocol itself. The 'only accept calls from SIP registrar' is Grandstream (and almost all other SIP device manufacturer)'s way of getting around it. SIP itself is insecure, it's just the way it was designed. If any device is following the RFC (the RFC was written in 2002 http://www.ietf.org/rfc/rfc3261.txt) and you send said device a SIP Invite, it rings, just the way it was written to do. Once SIP became mainstream, this was seen as a way to exploit devices open on the 'Net. They can't do anything but make Invites/Cancels (Cancel is more damaging as it would hang up any active call) to the device, more of a nuisance than anything. Now....if you have a SIP PBX hanging open like that, things get a tad more complicated. But that is beyond the scope of this thread.

[PainCourt]

Its been a few weeks now and things has been good. The real test is to wait for at least another month. Will report back if I get another call. If not, assume the settings suggested did the job.