[VoiceOps] Preventing random SIP connections to handsets

Carlos Alvarez caalvarez at gmail.com
Fri Nov 20 15:21:43 EST 2015

These routers use a range of high ports, nothing is on 5060.  It seems that
they are scanning, and when they get something, repeatedly attack it.
Because our enterprise customers are all on a couple of subnets, they may
have keyed into "this range is full of SIP devices" and keep hitting them.

On Fri, Nov 20, 2015 at 1:19 PM, Alex Balashov <abalashov at evaristesys.com>

> I was getting ghost ringing into my Polycom because my router sensibly
> remaps phone:5060 to WAN_IP:5060. My solution was to switch to SIP TCP.
> On 11/20/2015 03:14 PM, Carlos Alvarez wrote:
> We're starting to see customers who get random arbitrary ringing caused
>> by a random connection attempt from the internet.  Most of our customers
>> have Cisco routers with full-cone NAT, so it's easy to do that.  We
>> don't reinvite handsets, we proxy the media, so we've considered using
>> restricted NAT instead.  If we can figure out how, we can't find any
>> documentation on how to do it, and don't have a response to our Cisco
>> TAC case on it yet.
>> But I figured I'd ask if others have come up with better solutions.  I
>> know there are a few authentication options in the phones themselves,
>> but they seem to vary greatly by vendor and even by model.  I like to do
>> things as simply and system-wide as possible.  We primarily sell
>> Grandstream, and we support Cisco/Linksys SPA as well as Polycom IP
>> series (not VVX).
>> We're an Asterisk-based hosted service provider.
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
> --
> Alex Balashov | Principal | Evariste Systems LLC
> 303 Perimeter Center North, Suite 300
> Atlanta, GA 30346
> United States
> Tel: +1-800-250-5920 (toll-free) / +1-678-954-0671 (direct)
> Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20151120/f7e00f79/attachment.html>

More information about the VoiceOps mailing list