<html dir="ltr"><head><style id="axi-htmleditor-style" type="text/css">p { margin: 0px; }</style></head><body style="font-size: 10pt; font-family: Arial; background-image: none; background-repeat: repeat; background-attachment: fixed;">Have you tried tossing an unauthenticated call at the edgemarc from outside using a from address of 1001@edgemarcip? looks like that's what this guy is doing. You're ignoring his registers but you may be allowing invites from an unregistered device.<br><br>On Fri, 11/01/2013 03:33 PM, Matt Yaklin <myaklin@g4.net> wrote:<br><blockquote style="border-left: 2px solid rgb(00, 00, 204); padding-left: 4px; margin-left: 16px;"><div style="font-family: Arial; font-size: 10pt;">They are not over lapping.<br><br>The attacker finally bit just a bit ago. I only was running<br>tcpdump on port 5060 on the edgemarc but i captured the SIP<br>traffic for what the attacker is doing. I wish I had setup<br>more.<br><br><br>I blocked international via an auth code right now...<br><br>x.x.139.225 = WAN ethernet port of the Edgemarc.<br><br>I am going through this now and if anyone can help I would<br>greatly appreciate it. I need to find out why this is happening.<br><br><br><br>-----------------------<br>-----------------------<br>-----------------------<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, <br>SUBSCRIBE, INFO<br>User-Agent: eyeBeam release 3007n stamp 17816<br>Cont<br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br><br>19:18:48.788559 176.58.68.20.10181 > x.x.139.225.5060:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>REGISTER sip:x.x.139.225 SIP/2.0<br>To: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a><br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=e26e273f<br>Via: SIP/2.0/UDP <br>176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport<br>Call-ID: b161d8122d506908<br>CSeq: 1 REGISTER<br>Contact: <sip:<a href="mailto:1001@176.58.68.20" target="_blank">1001@176.58.68.20</a>:10181><br>Expires: 3600<br>Max-Forwards: 70<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, <br>SUBSCRIBE, INFO<br>User-Agent: eyeBeam release 3007n stamp 17816<br>Cont<br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br><br>19:18:52.786472 176.58.68.20.10181 > x.x.139.225.5060:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>REGISTER sip:x.x.139.225 SIP/2.0<br>To: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a><br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=e26e273f<br>Via: SIP/2.0/UDP <br>176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport<br>Call-ID: b161d8122d506908<br>CSeq: 1 REGISTER<br>Contact: <sip:<a href="mailto:1001@176.58.68.20" target="_blank">1001@176.58.68.20</a>:10181><br>Expires: 3600<br>Max-Forwards: 70<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, <br>SUBSCRIBE, INFO<br>User-Agent: eyeBeam release 3007n stamp 17816<br>Cont<br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br><br>19:18:56.794955 176.58.68.20.10181 > x.x.139.225.5060:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>REGISTER sip:x.x.139.225 SIP/2.0<br>To: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a><br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=e26e273f<br>Via: SIP/2.0/UDP <br>176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport<br>Call-ID: b161d8122d506908<br>CSeq: 1 REGISTER<br>Contact: <sip:<a href="mailto:1001@176.58.68.20" target="_blank">1001@176.58.68.20</a>:10181><br>Expires: 3600<br>Max-Forwards: 70<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, <br>SUBSCRIBE, INFO<br>User-Agent: eyeBeam release 3007n stamp 17816<br>Cont<br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br><br>19:19:00.899198 176.58.68.20.10181 > x.x.139.225.5060:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>REGISTER sip:x.x.139.225 SIP/2.0<br>To: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a><br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=e26e273f<br>Via: SIP/2.0/UDP <br>176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport<br>Call-ID: b161d8122d506908<br>CSeq: 1 REGISTER<br>Contact: <sip:<a href="mailto:1001@176.58.68.20" target="_blank">1001@176.58.68.20</a>:10181><br>Expires: 3600<br>Max-Forwards: 70<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, <br>SUBSCRIBE, INFO<br>User-Agent: eyeBeam release 3007n stamp 17816<br>Cont<br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br><br>19:19:04.809371 176.58.68.20.10181 > x.x.139.225.5060:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>REGISTER sip:x.x.139.225 SIP/2.0<br>To: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a><br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=e26e273f<br>Via: SIP/2.0/UDP <br>176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport<br>Call-ID: b161d8122d506908<br>CSeq: 1 REGISTER<br>Contact: <sip:<a href="mailto:1001@176.58.68.20" target="_blank">1001@176.58.68.20</a>:10181><br>Expires: 3600<br>Max-Forwards: 70<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, <br>SUBSCRIBE, INFO<br>User-Agent: eyeBeam release 3007n stamp 17816<br>Cont<br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br><br>19:19:08.831073 176.58.68.20.10181 > x.x.139.225.5060:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>REGISTER sip:x.x.139.225 SIP/2.0<br>To: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a><br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=e26e273f<br>Via: SIP/2.0/UDP <br>176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport<br>Call-ID: b161d8122d506908<br>CSeq: 1 REGISTER<br>Contact: <sip:<a href="mailto:1001@176.58.68.20" target="_blank">1001@176.58.68.20</a>:10181><br>Expires: 3600<br>Max-Forwards: 70<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, <br>SUBSCRIBE, INFO<br>User-Agent: eyeBeam release 3007n stamp 17816<br>Cont<br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br><br>19:19:12.827515 176.58.68.20.10181 > x.x.139.225.5060:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>REGISTER sip:x.x.139.225 SIP/2.0<br>To: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a><br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=e26e273f<br>Via: SIP/2.0/UDP <br>176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport<br>Call-ID: b161d8122d506908<br>CSeq: 1 REGISTER<br>Contact: <sip:<a href="mailto:1001@176.58.68.20" target="_blank">1001@176.58.68.20</a>:10181><br>Expires: 3600<br>Max-Forwards: 70<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, <br>SUBSCRIBE, INFO<br>User-Agent: eyeBeam release 3007n stamp 17816<br>Cont<br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br><br>19:19:16.827669 176.58.68.20.10181 > x.x.139.225.5060:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>REGISTER sip:x.x.139.225 SIP/2.0<br>To: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a><br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=e26e273f<br>Via: SIP/2.0/UDP <br>176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport<br>Call-ID: b161d8122d506908<br>CSeq: 1 REGISTER<br>Contact: <sip:<a href="mailto:1001@176.58.68.20" target="_blank">1001@176.58.68.20</a>:10181><br>Expires: 3600<br>Max-Forwards: 70<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, <br>SUBSCRIBE, INFO<br>User-Agent: eyeBeam release 3007n stamp 17816<br>Cont<br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br><br>19:23:19.307756 176.58.68.20.10189 > x.x.139.225.5060:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>BYE sip:<a href="mailto:14734050085@x.x.139.225" target="_blank">14734050085@x.x.139.225</a>:5060 SIP/2.0<br>To: <sip:<a href="mailto:14734050085@x.x.139.225>" target="_blank">14734050085@x.x.139.225></a>;tag=6516fea2<br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=214bbc47<br>Via: SIP/2.0/UDP <br>176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport<br>Call-ID: 346c8a3823657575<br>CSeq: 2 BYE<br>Route: <sip:<a href="mailto:14734050085@x.x.139.225" target="_blank">14734050085@x.x.139.225</a>;lr><br>Contact: <sip:<a href="mailto:1001@176.58.68.20" target="_blank">1001@176.58.68.20</a>:10189><br>Max-Forwards: 70<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, <br>SUBSCRIBE,<br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br><br>19:23:19.370269 x.x.139.225.5060 > 176.58.68.20.10189:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>SIP/2.0 200 OK<br>Via: SIP/2.0/UDP <br>176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport=5060<br>Record-Route: <sip:<a href="mailto:14734050085@x.x.139.225" target="_blank">14734050085@x.x.139.225</a>;lr><br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=214bbc47<br>To: <sip:<a href="mailto:14734050085@x.x.139.225>" target="_blank">14734050085@x.x.139.225></a>;tag=6516fea2<br>Call-ID: 346c8a3823657575<br>CSeq: 2 BYE<br>Contact: <sip:<a href="mailto:14734050085@x.x.139.225" target="_blank">14734050085@x.x.139.225</a>:5060><br>User-agent: fxo/1.0<br>Content-Length: 0<br><br><br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br> [tos 0xb8]<br>19:23:31.365141 176.58.68.20.10189 > x.x.139.225.5060:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>INVITE sip:<a href="mailto:14734050088@x.x.139.225" target="_blank">14734050088@x.x.139.225</a> SIP/2.0<br>To: <sip:<a href="mailto:14734050088@x.x.139.225>" target="_blank">14734050088@x.x.139.225></a><br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=d909f80a<br>Via: SIP/2.0/UDP <br>176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport<br>Call-ID: 2b6a574f323db602<br>CSeq: 1 INVITE<br>Contact: <sip:<a href="mailto:1001@176.58.68.20" target="_blank">1001@176.58.68.20</a>:10189><br>Max-Forwards: 70<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, <br>SUBSCRIBE, INFO<br>Content-Type: application/sdp<br>User-Agent: eyeBeam<br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br><br>19:23:31.417251 x.x.139.225.5060 > 176.58.68.20.10189:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>SIP/2.0 100 Trying<br>Via: SIP/2.0/UDP <br>176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060<br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=d909f80a<br>To: <sip:<a href="mailto:14734050088@x.x.139.225>" target="_blank">14734050088@x.x.139.225></a>;tag=51a346d4<br>Call-ID: 2b6a574f323db602<br>CSeq: 1 INVITE<br>User-agent: fxo/1.0<br>Content-Length: 0<br><br><br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br> [tos 0xb8]<br>19:23:36.793012 x.x.139.225.5060 > 176.58.68.20.10189:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>SIP/2.0 180 Ringing<br>Via: SIP/2.0/UDP <br>176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060<br>Record-Route: <sip:<a href="mailto:14734050088@x.x.139.225" target="_blank">14734050088@x.x.139.225</a>;lr><br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=d909f80a<br>To: <sip:<a href="mailto:14734050088@x.x.139.225>" target="_blank">14734050088@x.x.139.225></a>;tag=51a346d4<br>Call-ID: 2b6a574f323db602<br>CSeq: 1 INVITE<br>Contact: <sip:<a href="mailto:14734050088@x.x.139.225" target="_blank">14734050088@x.x.139.225</a>:5060><br>User-agent: fxo/1.0<br>Content-Length: 0<br><br><br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br> [tos 0xb8]<br>19:23:36.833967 x.x.139.225.5060 > 176.58.68.20.10189:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>SIP/2.0 200 OK<br>Via: SIP/2.0/UDP <br>176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060<br>Record-Route: <sip:<a href="mailto:14734050088@x.x.139.225" target="_blank">14734050088@x.x.139.225</a>;lr><br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=d909f80a<br>To: <sip:<a href="mailto:14734050088@x.x.139.225>" target="_blank">14734050088@x.x.139.225></a>;tag=51a346d4<br>Call-ID: 2b6a574f323db602<br>CSeq: 1 INVITE<br>Contact: <sip:<a href="mailto:14734050088@x.x.139.225" target="_blank">14734050088@x.x.139.225</a>:5060><br>User-agent: fxo/1.0<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE<br>Content-Type: application/sdp<br>Content-Leng<br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br> [tos 0xb8]<br>19:23:37.060875 176.58.68.20.10189 > x.x.139.225.5060:<br>>>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>><br>ACK sip:<a href="mailto:14734050088@x.x.139.225" target="_blank">14734050088@x.x.139.225</a>:5060 SIP/2.0<br>To: <sip:<a href="mailto:14734050088@x.x.139.225>" target="_blank">14734050088@x.x.139.225></a>;tag=51a346d4<br>From: <sip:<a href="mailto:1001@x.x.139.225>" target="_blank">1001@x.x.139.225></a>;tag=d909f80a<br>Via: SIP/2.0/UDP <br>176.58.68.20:10189;branch=z9hG4bK-d87543-154025872-1--d87543-;rport<br>Call-ID: 2b6a574f323db602<br>CSeq: 1 ACK<br>Route: <sip:<a href="mailto:14734050088@x.x.139.225" target="_blank">14734050088@x.x.139.225</a>;lr><br>Contact: <sip:<a href="mailto:1001@176.58.68.20" target="_blank">1001@176.58.68.20</a>:10189><br>Max-Forwards: 70<br>User-Agent: eyeBeam release 3007n stamp 17816<br>Content-Length: 0<br><br><br><<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<<br><br><br>---------------<br>--------------<br>------------<br><br>On Fri, 1 Nov 2013, Jay Hennigan wrote:<br><br>> On 11/1/13 12:04 PM, Matt Yaklin wrote:<br>>><br>>> Approx 60-70 calls.<br>><br>> If more than one overlapping you can rule out the physical FXO port.<br>><br>> --<br>> Jay Hennigan - CCIE #7880 - Network Engineering - <a href="mailto:jay@impulse.net" target="_blank">jay@impulse.net</a><br>> Impulse Internet Service - <a href="http://www.impulse.net/" target="_blank">http://www.impulse.net/</a><br>> Your local telephone and internet company - 805 884-6323 - WB6RDV<br>> _______________________________________________<br>> VoiceOps mailing list<br>> <a href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br>> <a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br>><br>_______________________________________________<br>VoiceOps mailing list<br><a href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br><a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br></div></blockquote></body></html>