Another reason to avoid SIP ALG if possible

This section is for general discussions surrounding digital phone service.
User avatar
Liptonbrisk
Technical Support
Posts: 2990
Joined: 04/26/2010
SIP Device Name: Obihai 202/2182, Groundwire
Firmware Version: various
ISP Name: FTTH
Computer OS: Windows 64 bit
Router: Asuswrt-Merlin & others

Another reason to avoid SIP ALG if possible

Post by Liptonbrisk »

https://www.snbforums.com/threads/vulne ... ost-657216
RMerlin wrote:The NAT Slipstream attack is the one that uses ALGs helpers to potentially compromise clients. I recommend making sure none of the settings on the NAT Passthrough page is set to "Enabled + NAT Helper", they should be either "Enabled" or "Disabled". I haven't tested this, but I would expect that ensuring NAT helpers are disabled to be enough to prevent this attack vector.

Those ALG are generally not needed by modern clients. For instance, I have both an ATA (for my home phone) and a direct IP phone (for work) here, both work fine without the need for an ALG helper.

Note that numerous browsers are now implementing mitigation methods by blocking certain ports used by these protocols.
RMerlin is the developer of Asuswrt-Merlin firmware. He is referring to settings in Merlin router firmware.

NAT slipstreaming involving ALGs, including SIP ALG, doesn't just apply to Asuswrt-Merlin, of course: https://samy.pl/slipstream/.
Please do not send me emails; I do not work for nor represent Freephoneline or Fongo. Post questions on the forums so that others may learn from responses or assist you. Thank you. If you have an issue with your account or have a billing issue, submit a ticket here: https://support.fongo.com/hc/requests/new. Visit http://status.fongo.com/ to check FPL/Fongo service status. Freephoneline setup guides can be found at http://forum.fongo.com/viewforum.php?f=15.