Have you tried tossing an unauthenticated call at the edgemarc from outside using a from address of 1001@edgemarcip? looks like that's what this guy is doing. You're ignoring his registers but you may be allowing invites from an unregistered device. On Fri, 11/01/2013 03:33 PM, Matt Yaklin <myaklin@g4.net> wrote: > They are not over lapping. > > The attacker finally bit just a bit ago. I only was running > tcpdump on port 5060 on the edgemarc but i captured the SIP > traffic for what the attacker is doing. I wish I had setup > more. > > > I blocked international via an auth code right now... > > x.x.139.225 = WAN ethernet port of the Edgemarc. > > I am going through this now and if anyone can help I would > greatly appreciate it. I need to find out why this is happening. > > > > ----------------------- > ----------------------- > ----------------------- > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > SUBSCRIBE, INFO > User-Agent: eyeBeam release 3007n stamp 17816 > Cont > <<<<<<<<<<<<<< > 19:18:48.788559 176.58.68.20.10181 > x.x.139.225.5060: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > REGISTER sip:x.x.139.225 SIP/2.0 > To: 1001@x.x.139.225> > From: 1001@x.x.139.225>;tag=e26e273f > Via: SIP/2.0/UDP > 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > Call-ID: b161d8122d506908 > CSeq: 1 REGISTER > Contact: > Expires: 3600 > Max-Forwards: 70 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > SUBSCRIBE, INFO > User-Agent: eyeBeam release 3007n stamp 17816 > Cont > <<<<<<<<<<<<<< > 19:18:52.786472 176.58.68.20.10181 > x.x.139.225.5060: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > REGISTER sip:x.x.139.225 SIP/2.0 > To: 1001@x.x.139.225> > From: 1001@x.x.139.225>;tag=e26e273f > Via: SIP/2.0/UDP > 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > Call-ID: b161d8122d506908 > CSeq: 1 REGISTER > Contact: > Expires: 3600 > Max-Forwards: 70 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > SUBSCRIBE, INFO > User-Agent: eyeBeam release 3007n stamp 17816 > Cont > <<<<<<<<<<<<<< > 19:18:56.794955 176.58.68.20.10181 > x.x.139.225.5060: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > REGISTER sip:x.x.139.225 SIP/2.0 > To: 1001@x.x.139.225> > From: 1001@x.x.139.225>;tag=e26e273f > Via: SIP/2.0/UDP > 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > Call-ID: b161d8122d506908 > CSeq: 1 REGISTER > Contact: > Expires: 3600 > Max-Forwards: 70 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > SUBSCRIBE, INFO > User-Agent: eyeBeam release 3007n stamp 17816 > Cont > <<<<<<<<<<<<<< > 19:19:00.899198 176.58.68.20.10181 > x.x.139.225.5060: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > REGISTER sip:x.x.139.225 SIP/2.0 > To: 1001@x.x.139.225> > From: 1001@x.x.139.225>;tag=e26e273f > Via: SIP/2.0/UDP > 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > Call-ID: b161d8122d506908 > CSeq: 1 REGISTER > Contact: > Expires: 3600 > Max-Forwards: 70 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > SUBSCRIBE, INFO > User-Agent: eyeBeam release 3007n stamp 17816 > Cont > <<<<<<<<<<<<<< > 19:19:04.809371 176.58.68.20.10181 > x.x.139.225.5060: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > REGISTER sip:x.x.139.225 SIP/2.0 > To: 1001@x.x.139.225> > From: 1001@x.x.139.225>;tag=e26e273f > Via: SIP/2.0/UDP > 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > Call-ID: b161d8122d506908 > CSeq: 1 REGISTER > Contact: > Expires: 3600 > Max-Forwards: 70 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > SUBSCRIBE, INFO > User-Agent: eyeBeam release 3007n stamp 17816 > Cont > <<<<<<<<<<<<<< > 19:19:08.831073 176.58.68.20.10181 > x.x.139.225.5060: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > REGISTER sip:x.x.139.225 SIP/2.0 > To: 1001@x.x.139.225> > From: 1001@x.x.139.225>;tag=e26e273f > Via: SIP/2.0/UDP > 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > Call-ID: b161d8122d506908 > CSeq: 1 REGISTER > Contact: > Expires: 3600 > Max-Forwards: 70 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > SUBSCRIBE, INFO > User-Agent: eyeBeam release 3007n stamp 17816 > Cont > <<<<<<<<<<<<<< > 19:19:12.827515 176.58.68.20.10181 > x.x.139.225.5060: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > REGISTER sip:x.x.139.225 SIP/2.0 > To: 1001@x.x.139.225> > From: 1001@x.x.139.225>;tag=e26e273f > Via: SIP/2.0/UDP > 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > Call-ID: b161d8122d506908 > CSeq: 1 REGISTER > Contact: > Expires: 3600 > Max-Forwards: 70 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > SUBSCRIBE, INFO > User-Agent: eyeBeam release 3007n stamp 17816 > Cont > <<<<<<<<<<<<<< > 19:19:16.827669 176.58.68.20.10181 > x.x.139.225.5060: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > REGISTER sip:x.x.139.225 SIP/2.0 > To: 1001@x.x.139.225> > From: 1001@x.x.139.225>;tag=e26e273f > Via: SIP/2.0/UDP > 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > Call-ID: b161d8122d506908 > CSeq: 1 REGISTER > Contact: > Expires: 3600 > Max-Forwards: 70 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > SUBSCRIBE, INFO > User-Agent: eyeBeam release 3007n stamp 17816 > Cont > <<<<<<<<<<<<<< > 19:23:19.307756 176.58.68.20.10189 > x.x.139.225.5060: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > BYE sip:14734050085@x.x.139.225:5060 SIP/2.0 > To: 14734050085@x.x.139.225>;tag=6516fea2 > From: 1001@x.x.139.225>;tag=214bbc47 > Via: SIP/2.0/UDP > 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport > Call-ID: 346c8a3823657575 > CSeq: 2 BYE > Route: > Contact: > Max-Forwards: 70 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > SUBSCRIBE, > <<<<<<<<<<<<<< > 19:23:19.370269 x.x.139.225.5060 > 176.58.68.20.10189: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > SIP/2.0 200 OK > Via: SIP/2.0/UDP > 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport=5060 > Record-Route: > From: 1001@x.x.139.225>;tag=214bbc47 > To: 14734050085@x.x.139.225>;tag=6516fea2 > Call-ID: 346c8a3823657575 > CSeq: 2 BYE > Contact: > User-agent: fxo/1.0 > Content-Length: 0 > > > <<<<<<<<<<<<<< [tos 0xb8] > 19:23:31.365141 176.58.68.20.10189 > x.x.139.225.5060: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > INVITE sip:14734050088@x.x.139.225 SIP/2.0 > To: 14734050088@x.x.139.225> > From: 1001@x.x.139.225>;tag=d909f80a > Via: SIP/2.0/UDP > 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport > Call-ID: 2b6a574f323db602 > CSeq: 1 INVITE > Contact: > Max-Forwards: 70 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > SUBSCRIBE, INFO > Content-Type: application/sdp > User-Agent: eyeBeam > <<<<<<<<<<<<<< > 19:23:31.417251 x.x.139.225.5060 > 176.58.68.20.10189: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > SIP/2.0 100 Trying > Via: SIP/2.0/UDP > 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 > From: 1001@x.x.139.225>;tag=d909f80a > To: 14734050088@x.x.139.225>;tag=51a346d4 > Call-ID: 2b6a574f323db602 > CSeq: 1 INVITE > User-agent: fxo/1.0 > Content-Length: 0 > > > <<<<<<<<<<<<<< [tos 0xb8] > 19:23:36.793012 x.x.139.225.5060 > 176.58.68.20.10189: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > SIP/2.0 180 Ringing > Via: SIP/2.0/UDP > 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 > Record-Route: > From: 1001@x.x.139.225>;tag=d909f80a > To: 14734050088@x.x.139.225>;tag=51a346d4 > Call-ID: 2b6a574f323db602 > CSeq: 1 INVITE > Contact: > User-agent: fxo/1.0 > Content-Length: 0 > > > <<<<<<<<<<<<<< [tos 0xb8] > 19:23:36.833967 x.x.139.225.5060 > 176.58.68.20.10189: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > SIP/2.0 200 OK > Via: SIP/2.0/UDP > 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 > Record-Route: > From: 1001@x.x.139.225>;tag=d909f80a > To: 14734050088@x.x.139.225>;tag=51a346d4 > Call-ID: 2b6a574f323db602 > CSeq: 1 INVITE > Contact: > User-agent: fxo/1.0 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE > Content-Type: application/sdp > Content-Leng > <<<<<<<<<<<<<< [tos 0xb8] > 19:23:37.060875 176.58.68.20.10189 > x.x.139.225.5060: > >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > ACK sip:14734050088@x.x.139.225:5060 SIP/2.0 > To: 14734050088@x.x.139.225>;tag=51a346d4 > From: 1001@x.x.139.225>;tag=d909f80a > Via: SIP/2.0/UDP > 176.58.68.20:10189;branch=z9hG4bK-d87543-154025872-1--d87543-;rport > Call-ID: 2b6a574f323db602 > CSeq: 1 ACK > Route: > Contact: > Max-Forwards: 70 > User-Agent: eyeBeam release 3007n stamp 17816 > Content-Length: 0 > > > <<<<<<<<<<<<<< > > --------------- > -------------- > ------------ > > On Fri, 1 Nov 2013, Jay Hennigan wrote: > > > On 11/1/13 12:04 PM, Matt Yaklin wrote: > >> > >> Approx 60-70 calls. > > > > If more than one overlapping you can rule out the physical FXO port. > > > > -- > > Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net > > Impulse Internet Service - http://www.impulse.net/ > > Your local telephone and internet company - 805 884-6323 - WB6RDV > > _______________________________________________ > > VoiceOps mailing list > > VoiceOps@voiceops.org > > https://puck.nether.net/mailman/listinfo/voiceops > > > _______________________________________________ > VoiceOps mailing list > VoiceOps@voiceops.org > https://puck.nether.net/mailman/listinfo/voiceops >