[VoiceOps] Preventing random SIP connections to handsets
matthew at corp.crocker.com
Fri Nov 20 15:37:43 EST 2015
We have a Calix ONT in our lab that is ‘on the internet’ for its voice VLAN. It gets rogue INVITES and rings constantly (every 5-10 seconds). Makes for a nice honeypot, source IPs go right into the ACL on the firewall
President - Crocker Communications, Inc.
Managing Partner - Crocker Telecommunications, LLC
E: matthew at corp.crocker.com
E: matthew at crocker.com
> On Nov 20, 2015, at 3:35 PM, Robert Johnson <robert.j at bendtel.com> wrote:
> On 11/20/2015 12:14 PM, Carlos Alvarez wrote:
>> We're starting to see customers who get random arbitrary ringing caused by
>> a random connection attempt from the internet. Most of our customers have
>> Cisco routers with full-cone NAT, so it's easy to do that. We don't
>> reinvite handsets, we proxy the media, so we've considered using restricted
>> NAT instead. If we can figure out how, we can't find any documentation on
>> how to do it, and don't have a response to our Cisco TAC case on it yet.
>> But I figured I'd ask if others have come up with better solutions. I know
>> there are a few authentication options in the phones themselves, but they
>> seem to vary greatly by vendor and even by model. I like to do things as
>> simply and system-wide as possible. We primarily sell Grandstream, and we
>> support Cisco/Linksys SPA as well as Polycom IP series (not VVX).
>> We're an Asterisk-based hosted service provider.
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
> This may be dependent upon the Cisco router in question, but when we
> deploy routers we always set the ACL to only allow SIP communications
> from our SBC. - When customers provide their own, we recommend the same
> Robert Johnson
> BendTel, Inc.
> Central Oregon's Own Telephone and Internet Service Provider
> VoiceOps mailing list
> VoiceOps at voiceops.org
More information about the VoiceOps