[VoiceOps] Ghost calls - Sipvicious?
Jimmy Hess
mysidia at gmail.com
Tue Nov 12 21:40:00 EST 2013
On Tue, Nov 12, 2013 at 6:05 PM, Hiers, David <David.Hiers at adp.com> wrote:
> Maybe someone is spoofing your SBC IP address?
>
> I can't see what useful info would be gained from such spoofing, but
> enough of these could DOS you pretty hard.
>
I would suggest capturing packets towards the devices experiencing it,
behind the NAT device, using Wireshark ----- I would wonder first if
either the NAT/ACL isn't working as designed; or traffic is coming from
a SIP ALG / inside the NAT; spoofing the SBC's source IP seems terribly
unlikely.
I think it's more likely, there's an unexpected way the Polycom is being
contacted, such as a proxy service on a router.
Then there is that matter of; "Does your NAT device verify the foreign
IP address of reverse traffic like a full stateful firewall would, or
does it just check the destination port number on an incoming packet,
and immediately translate to internal IP based on the destination port
number and forward to the internal device?"
In the latter case, the internal device might be contacted on port 5060
from other internet hosts scanning the ephemeral port range; if that
5060 from the internal device has recently been used as a source port from
the Polycom contacting the SBC.
So a full packet capture from the network with the handsets, could give you
a better idea, of what you are seeing.
> David
>
--
-JH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20131112/c1bd8819/attachment.html>
More information about the VoiceOps
mailing list