Possible SIP scanner trying to hack my phone system?

[Degenerate]

Hi everyone,

The other day I started receiving calls to my home where it would only ring once, and then hang up. I received about 10 calls in the span of 5 minutes. When I went to review the call logs there was no record of any calls being placed to my home. I created a thread about the call logs here

http://forum.fongo.com/viewtopic.php?f=8&t=17466

Someone recommended that I disable port forwarding or DMZ on my router which I did.

It was also recommended that I also changed my SIP port from the default to number between 20000 and 65535, which I did.

After I made the changes everything seemed to stop right away, no more 1 ring phone calls, that was until today. So the fix I put in seems like it only lasted 24 hours. I just got home and heard the phone ring once, then they hung up. 30 seconds later I received another call, and then another etc....

My router is a DLINK DIR-860L, and ATA is a Sipura/SPA2000.

How can I fix this permanently? It's really annoying, and rather frustrating.

[Mango]

Since you state that you have a DIR-860L, I have some additional suggestions.

From within your router's configuration, navigate to Advanced >> Firewall Settings. Set the following, if not already set:

Enable SPI: Checked
UDP Endpoint Filtering: Port and Address Restricted
SIP: Unchecked

When you're done, test to be sure your phone still works. If not, try to disable SPI.

Let us know how things go.

[Degenerate]

Since you state that you have a DIR-860L, I have some additional suggestions.

From within your router's configuration, navigate to Advanced >> Firewall Settings. Set the following, if not already set:

Enable SPI: Checked
UDP Endpoint Filtering: Port and Address Restricted
SIP: Unchecked

When you're done, test to be sure your phone still works. If not, try to disable SPI.

Let us know how things go.

I just checked Enable SPI. The other two were already restricted and unchecked.

Just made a phone call to my cell and it works.

Let's see if I stop getting those calls.

Thanks!

[Mango]

I'm a little confused that your UDP Endpoint Filtering was already correctly set. Theoretically, this is the setting that should solve the problem, but perhaps it requires SPI to be effective.

Fingers crossed.

[Degenerate]

Actually I have a problem now. It seems that I the end user is not able to hear me. I called the house with my cell, and I could hear my wife through the phone, but she wasn't able to hear me at all

[Degenerate]

Since you state that you have a DIR-860L, I have some additional suggestions.

From within your router's configuration, navigate to Advanced >> Firewall Settings. Set the following, if not already set:

Enable SPI: Checked
UDP Endpoint Filtering: Port and Address Restricted
SIP: Unchecked

When you're done, test to be sure your phone still works. If not, try to disable SPI.

Let us know how things go.

I just checked Enable SPI. The other two were already restricted and unchecked.

Just made a phone call to my cell and it works.

Let's see if I stop getting those calls.

Thanks!

I made a mistake.

Enable SPI was not checked, so I checked it.

SIP was checked, so I unchecked it.

[Mango]

Actually I have a problem now. It seems that I the end user is not able to hear me. I called the house with my cell, and I could hear my wife through the phone, but she wasn't able to hear me at all

That could be a side effect of unchecking SIP. Let's try this combination instead:

Enable SPI: Checked
UDP Endpoint Filtering: Port and Address Restricted
SIP: Checked

[Degenerate]

Actually I have a problem now. It seems that I the end user is not able to hear me. I called the house with my cell, and I could hear my wife through the phone, but she wasn't able to hear me at all

That could be a side effect of unchecking SIP. Let's try this combination instead:

Enable SPI: Checked
UDP Endpoint Filtering: Port and Address Restricted
SIP: Checked

Okay done.

No luck still can't hear me.

[Mango]

On the Voice >> SIP tab of your ATA, hopefully you can set the following:

Handle VIA received: yes
Handle VIA rport: yes
Substitute VIA Addr: yes

On your router, we will use the settings I suggested originally.

Enable SPI: Checked
UDP Endpoint Filtering: Port and Address Restricted
SIP: Unchecked

I would also like you to use your router to forward UDP ports 16384-16482 to your ATA's static IP address.

If this doesn't work, you can return your settings to the way they were, and we will need to ask Fongo Support for further assistance.

[Degenerate]

I just got 2 more calls so whatever we tried isn't working

[Degenerate]

On the Voice >> SIP tab of your ATA, hopefully you can set the following:

Handle VIA received: yes
Handle VIA rport: yes
Substitute VIA Addr: yes

On your router, we will use the settings I suggested originally.

Enable SPI: Checked
UDP Endpoint Filtering: Port and Address Restricted
SIP: Unchecked

I would also like you to use your router to forward UDP ports 16384-16482 to your ATA's static IP address.

If this doesn't work, you can return your settings to the way they were, and we will need to ask Fongo Support for further assistance.

While you were editing this post I did a test and it worked. Didn't change any settings.

I did get 2 more one ring calls too

[Mango]

Okay, I'm glad you have two-way audio again. Thank you very much for replying so quickly with the results of all this testing.

I think the only thing we don't yet know is if you receive scanning calls with SIP unchecked. If possible, please test this, as one-way audio is something that Fongo Support can help us solve. After changing this, you may want to reboot the router as a precaution to ensure any tracked NAT connections are cleared.

If you receive scanning calls with SIP unchecked, I'm officially stumped.

[Degenerate]

So we're back to my original problem.
I'm getting one ring phone calls about every minute

I've changed the SIP port on my ATA but that didn't help.

Currently on my firewall settings

Enable SPI : checked
UDP Endpoint Filtering : Port and Access Restricted
SIP: checked

[Degenerate]

Okay, I'm glad you have two-way audio again. Thank you very much for replying so quickly with the results of all this testing.

I think the only thing we don't yet know is if you receive scanning calls with SIP unchecked. If possible, please test this, as one-way audio is something that Fongo Support can help us solve. After changing this, you may want to reboot the router as a precaution to ensure any tracked NAT connections are cleared.

If you receive scanning calls with SIP unchecked, I'm officially stumped.

Thanks for your help Mango.

I'm going to have to unplug the ATA for now because I'm trying to put down my kid for his nap time.

I'll do some more testing later tonight.

[Degenerate]

Okay, I'm glad you have two-way audio again. Thank you very much for replying so quickly with the results of all this testing.

I think the only thing we don't yet know is if you receive scanning calls with SIP unchecked. If possible, please test this, as one-way audio is something that Fongo Support can help us solve. After changing this, you may want to reboot the router as a precaution to ensure any tracked NAT connections are cleared.

If you receive scanning calls with SIP unchecked, I'm officially stumped.

SIP was originally unchecked, but I followed your instructions to check it, so I did, and it's still checked.

[Mango]

So you receive the scanning calls whether it's checked or not, correct?

[Degenerate]

So you receive the scanning calls whether it's checked or not, correct?

Sounds like it.

It was originally unchecked when i was already receiving calls.

I checked it as you suggested and calls still came in.

[Mango]

I've taken the liberty of posting a thread at DSLReports for you. Perhaps someone there will have more experience with this router than I apparently do, and will be able to assist further.

http://www.dslreports.com/forum/r299863 ... d-DIR-860L

Good luck!
m.

[Degenerate]

Thanks Mango.

So I should go ahead an uncheck SIP? So basically the only change I would have made today is enable SPI.

I still can't do any testing right now because we're trying to get my son to nap.

[Mango]

No problem. I'm well aware of the importance of letting sleeping children lie!

I would test to see if the unwanted calls arrive with SIP unchecked, if you have not tested this already.

I have been looking through the router's manual. Unfortunately the explanation of this feature is extremely brief - so we will need to experiment to see what its behaviour is.

[Degenerate]

No problem. I'm well aware of the importance of letting sleeping children lie!

I would test to see if the unwanted calls arrive with SIP unchecked, if you have not tested this already.

I have been looking through the router's manual. Unfortunately the explanation of this feature is extremely brief - so we will need to experiment to see what its behaviour is.

It's unchecked now.

I just plugged the ATA back in and almost immediately I got a call

[Liptonbrisk]

I haven't read everything, but do you actually have any evidence you're being targeted by SIP scanners as opposed to an annoying robodialer in India for the purpose of building an active phone number list? FPL call logs aren't going to list hangups or sip scanner rings either. FPL call logs only show calls that have been answered or gone to voicemail, which is the same as being answered. The symptoms do sound like sip scanners, but it could be some jerk(s) running dial scripts.

Do your caller ID and ATA call log (or last number caller entry) show calls coming from 1000, 100, or something similar that is clearly not a phone number?

A. Download and run http://www.rapid7.com/resources/free-se ... n-2013.jsp
Register and run a scan. If anything is listed as exploitable, you've got a problem.

B. Ensure you're using the latest firmware for your router: http://support.dlink.ca/ProductInfo.asp ... L#Download

Do you still get constant calls?

C. Try disabling UPnP: http://support.dlink.ca/FAQView.aspx?f= ... 2ccA%3D%3D

If it's not SIP scanners, then this stuff isn't going to help.

[Degenerate]

I haven't read everything, but do you actually have any evidence you're being targeted by SIP scanners as opposed to an annoying robodialer in India for the purpose of building an active phone number list? FPL call logs aren't going to list hangups. FPL call logs only show calls that have been answered or gone to voicemail, which is the same as being answered. The symptoms do sound like sip scanners, but it could be some jerk(s) running dial scripts.

Does your caller ID and ATA call log (or last number called entry) show calls coming from 1000, 100, or something similar that is clearly not a phone number?

A. Download and run http://www.rapid7.com/resources/free-se ... n-2013.jsp
Register and run a scan. If anything is listed as exploitable, you've got a problem.

B. Ensure you're using the latest firmware for your router: http://support.dlink.ca/ProductInfo.asp ... L#Download

Do you still get constant calls?

C. Try disabling UPnP: http://support.dlink.ca/FAQView.aspx?f= ... 2ccA%3D%3D

If it's not SIP scanners, then this stuff isn't going to help.

I honestly don't know if it is a SIP scanner. It could very well be what you just mentioned.

I have never reviewed the ATA call logs. Do all ATA's have this feature? I'll try to check in a bit.

The constant calls stopped yesterday afternoon but it started again today after about 24 hours. I had to unplug my ATA again just so it would stop ringing.

Yes I'm running the latest firmware.

I'll try the UPnP option as well.

[Liptonbrisk]

I have never reviewed the ATA call logs. Do all ATA's have this feature? I'll try to check in a bit.

I've never used an SPA2000, but it should at least show last caller number or something. Check under Line 1 status.

I'll try the UPnP option as well.

Disable that.

Disable all port forwarding.

Turn off router. Turn off ATA.
Turn on router. Wait a few minutes. Turn on ATA.

If you get a one way audio problem at that point, try disabling SIP (ALG) in router.
Again repeat the turn off router, turn off ATA procedure.

If one way audio problem persists, but the sip scanner calls have stopped, port forward (RTP) UDP range 16384-16482 to your ATA again.

If the sip scanner ringing remains anyway, then disable port forwarding and re-enable UPnP.

I'd advise you to run http://www.rapid7.com/resources/free-se ... n-2013.jsp

You can also try https://www.grc.com/shieldsup (click proceed, and then try the UPnP Exposure test without using a VPN), but the other program is better since it'll scan all devices on your local network.
I'm not the biggest fan of that site though, but I'm not interested in getting into a discussion about it either.

DMZ (horrible; never use this), Port forwarding, and UPnP are all potential security risks.

[Degenerate]

I have never reviewed the ATA call logs. Do all ATA's have this feature? I'll try to check in a bit.

I've never used an SPA2000, but it should at least show last caller number or something. Check under Line 1 status.

I'll try the UPnP option as well.

Disable that.

Disable all port forwarding.

Turn off router. Turn off ATA.
Turn on router. Wait a few minutes. Turn on ATA.

If you get a one way audio problem at that point, try disabling SIP (ALG) in router.
Again repeat the turn off router, turn off ATA procedure.

If one way audio problem persists, but the sip scanner calls have stopped, port forward (RTP) UDP range 16384-16482 to your ATA again.

If the sip scanner ringing remains anyway, then disable port forwarding and re-enable UPnP.

I'd advise you to run http://www.rapid7.com/resources/free-se ... n-2013.jsp

You can also try https://www.grc.com/shieldsup (click proceed, and then try the UPnP Exposure test without using a VPN), but the other program is better since it'll scan all devices on your local network.
I'm not the biggest fan of that site though, but I'm not interested in getting into a discussion about it either.

DMZ (horrible; never use this), Port forwarding, and UPnP are all potential security risks.

Thank you very much for this post. I won't be able to test this tonight but I will definitely give it a try tomorrow.

Earlier I did fiddle around with the SIP option. I tried turning it on and off and one thing that did happen for sure was I could only get one way audio. My home phone couldn't hear my cell phone, but my cell phone could hear my home. The calls still did come in afterwards.

I'll try everything else tomorrow. Once again thank you very much for your help.

If there is anything else you can recommend me trying please let me know. I live with my in-laws and I'm the one who set this up for them. It's looking really bad right how the phones are down because I had to unplug the ATA, and I would get phantom calls every min for the past 3 days or so. I'm at the point where I'm considering to buy a more advanced router and new ATA over the next few days if I can't get this figured out.