[VoiceOps] Preventing random SIP connections to handsets

Ryan Delgrosso ryandelgrosso at gmail.com
Fri Nov 20 17:57:19 EST 2015

We dealt with this years ago.

The solution was 2 fold:

1: Stop using port 5060. Pick some other port for your phones to listen 
on locally. Do the same thing on your access-edge SBC's (this will also 
pay dividends in ALG avoidance).
2: Find the CPE option to restrict inbound to only the registered proxy. 
As mentioned before this might be different for each device make but it 
is unquestionably the best solution.

On 11/20/2015 12:14 PM, Carlos Alvarez wrote:
> We're starting to see customers who get random arbitrary ringing 
> caused by a random connection attempt from the internet.  Most of our 
> customers have Cisco routers with full-cone NAT, so it's easy to do 
> that.  We don't reinvite handsets, we proxy the media, so we've 
> considered using restricted NAT instead.  If we can figure out how, we 
> can't find any documentation on how to do it, and don't have a 
> response to our Cisco TAC case on it yet.
> But I figured I'd ask if others have come up with better solutions.  I 
> know there are a few authentication options in the phones themselves, 
> but they seem to vary greatly by vendor and even by model.  I like to 
> do things as simply and system-wide as possible.  We primarily sell 
> Grandstream, and we support Cisco/Linksys SPA as well as Polycom IP 
> series (not VVX).
> We're an Asterisk-based hosted service provider.
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20151120/4c8eefc3/attachment.html>

More information about the VoiceOps mailing list