There are companies that do revenue sharing on fraud calls. "Get paid for conference call" type deals. I've seen a lot of fraud out of Gaza lately like this. On Fri, 11/01/2013 05:30 PM, Matt Yaklin wrote: > List, > > The problem was I missing a check box labeled: > > "Limit Inbound to listed Proxies / SIP Servers" > > Under the SIP settings page. > > This was my first Edgemarc that had the survivability license with > it so it took some playing around to get everything to work. I must > have unchecked it while trying to fix an issue during setup and never > came back to it. > > No problem found. Operator error that probably cost G4 $300 bucks > easy on toll charges. > > Thank you all for responding. Now I just need a way to get revenge > on the hacker. Anyone have any contacts in the Gaza Strip? :-( > > I know this has been discussed here before but why in the world > would a Palestinian be calling Grenada? How does one make money off > that situation. Sigh... > > matt@g4.net > > On Fri, 1 Nov 2013, Matt Yaklin wrote: > > > > > I think you are on the right track. > > > > I was reading the manual just now trying to figure out how > > or where 1001 comes from. Perhaps that does not even matter. > > You could make up anything. > > > > I am just not seeing how I tell this edgemarc box to stop > > allowing it yet short of using a firewall feature that this > > box does not have like the newest 13.x firmware does. Maybe > > it is hidden or people used the pass through rule set. > > > > matt > > > > On Fri, 1 Nov 2013, Paul Timmins wrote: > > > >> Have you tried tossing an unauthenticated call at the edgemarc from outside > >> using a from address of 1001@edgemarcip? looks like that's what this guy is > >> doing. > >> You're ignoring his registers but you may be allowing invites from an > >> unregistered device. > >> > >> On Fri, 11/01/2013 03:33 PM, Matt Yaklin <myaklin@g4.net> wrote: > >> They are not over lapping. > >> > >> The attacker finally bit just a bit ago. I only was running > >> tcpdump on port 5060 on the edgemarc but i captured the SIP > >> traffic for what the attacker is doing. I wish I had setup > >> more. > >> > >> > >> I blocked international via an auth code right now... > >> > >> x.x.139.225 = WAN ethernet port of the Edgemarc. > >> > >> I am going through this now and if anyone can help I would > >> greatly appreciate it. I need to find out why this is happening. > >> > >> > >> > >> ----------------------- > >> ----------------------- > >> ----------------------- > >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > >> SUBSCRIBE, INFO > >> User-Agent: eyeBeam release 3007n stamp 17816 > >> Cont > >> <<<<<<<<<<<<<< >> > >> 19:18:48.788559 176.58.68.20.10181 > x.x.139.225.5060: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> REGISTER sip:x.x.139.225 SIP/2.0 > >> To: > >> From: ;tag=e26e273f > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > >> Call-ID: b161d8122d506908 > >> CSeq: 1 REGISTER > >> Contact: > >> Expires: 3600 > >> Max-Forwards: 70 > >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > >> SUBSCRIBE, INFO > >> User-Agent: eyeBeam release 3007n stamp 17816 > >> Cont > >> <<<<<<<<<<<<<< >> > >> 19:18:52.786472 176.58.68.20.10181 > x.x.139.225.5060: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> REGISTER sip:x.x.139.225 SIP/2.0 > >> To: > >> From: ;tag=e26e273f > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > >> Call-ID: b161d8122d506908 > >> CSeq: 1 REGISTER > >> Contact: > >> Expires: 3600 > >> Max-Forwards: 70 > >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > >> SUBSCRIBE, INFO > >> User-Agent: eyeBeam release 3007n stamp 17816 > >> Cont > >> <<<<<<<<<<<<<< >> > >> 19:18:56.794955 176.58.68.20.10181 > x.x.139.225.5060: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> REGISTER sip:x.x.139.225 SIP/2.0 > >> To: > >> From: ;tag=e26e273f > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > >> Call-ID: b161d8122d506908 > >> CSeq: 1 REGISTER > >> Contact: > >> Expires: 3600 > >> Max-Forwards: 70 > >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > >> SUBSCRIBE, INFO > >> User-Agent: eyeBeam release 3007n stamp 17816 > >> Cont > >> <<<<<<<<<<<<<< >> > >> 19:19:00.899198 176.58.68.20.10181 > x.x.139.225.5060: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> REGISTER sip:x.x.139.225 SIP/2.0 > >> To: > >> From: ;tag=e26e273f > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > >> Call-ID: b161d8122d506908 > >> CSeq: 1 REGISTER > >> Contact: > >> Expires: 3600 > >> Max-Forwards: 70 > >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > >> SUBSCRIBE, INFO > >> User-Agent: eyeBeam release 3007n stamp 17816 > >> Cont > >> <<<<<<<<<<<<<< >> > >> 19:19:04.809371 176.58.68.20.10181 > x.x.139.225.5060: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> REGISTER sip:x.x.139.225 SIP/2.0 > >> To: > >> From: ;tag=e26e273f > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > >> Call-ID: b161d8122d506908 > >> CSeq: 1 REGISTER > >> Contact: > >> Expires: 3600 > >> Max-Forwards: 70 > >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > >> SUBSCRIBE, INFO > >> User-Agent: eyeBeam release 3007n stamp 17816 > >> Cont > >> <<<<<<<<<<<<<< >> > >> 19:19:08.831073 176.58.68.20.10181 > x.x.139.225.5060: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> REGISTER sip:x.x.139.225 SIP/2.0 > >> To: > >> From: ;tag=e26e273f > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > >> Call-ID: b161d8122d506908 > >> CSeq: 1 REGISTER > >> Contact: > >> Expires: 3600 > >> Max-Forwards: 70 > >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > >> SUBSCRIBE, INFO > >> User-Agent: eyeBeam release 3007n stamp 17816 > >> Cont > >> <<<<<<<<<<<<<< >> > >> 19:19:12.827515 176.58.68.20.10181 > x.x.139.225.5060: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> REGISTER sip:x.x.139.225 SIP/2.0 > >> To: > >> From: ;tag=e26e273f > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > >> Call-ID: b161d8122d506908 > >> CSeq: 1 REGISTER > >> Contact: > >> Expires: 3600 > >> Max-Forwards: 70 > >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > >> SUBSCRIBE, INFO > >> User-Agent: eyeBeam release 3007n stamp 17816 > >> Cont > >> <<<<<<<<<<<<<< >> > >> 19:19:16.827669 176.58.68.20.10181 > x.x.139.225.5060: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> REGISTER sip:x.x.139.225 SIP/2.0 > >> To: > >> From: ;tag=e26e273f > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport > >> Call-ID: b161d8122d506908 > >> CSeq: 1 REGISTER > >> Contact: > >> Expires: 3600 > >> Max-Forwards: 70 > >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > >> SUBSCRIBE, INFO > >> User-Agent: eyeBeam release 3007n stamp 17816 > >> Cont > >> <<<<<<<<<<<<<< >> > >> 19:23:19.307756 176.58.68.20.10189 > x.x.139.225.5060: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> BYE sip:14734050085@x.x.139.225:5060 SIP/2.0 > >> To: ;tag=6516fea2 > >> From: ;tag=214bbc47 > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport > >> Call-ID: 346c8a3823657575 > >> CSeq: 2 BYE > >> Route: > >> Contact: > >> Max-Forwards: 70 > >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > >> SUBSCRIBE, > >> <<<<<<<<<<<<<< >> > >> 19:23:19.370269 x.x.139.225.5060 > 176.58.68.20.10189: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> SIP/2.0 200 OK > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport=5060 > >> Record-Route: > >> From: ;tag=214bbc47 > >> To: ;tag=6516fea2 > >> Call-ID: 346c8a3823657575 > >> CSeq: 2 BYE > >> Contact: > >> User-agent: fxo/1.0 > >> Content-Length: 0 > >> > >> > >> <<<<<<<<<<<<<< >> [tos 0xb8] > >> 19:23:31.365141 176.58.68.20.10189 > x.x.139.225.5060: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> INVITE sip:14734050088@x.x.139.225 SIP/2.0 > >> To: > >> From: ;tag=d909f80a > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport > >> Call-ID: 2b6a574f323db602 > >> CSeq: 1 INVITE > >> Contact: > >> Max-Forwards: 70 > >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, > >> SUBSCRIBE, INFO > >> Content-Type: application/sdp > >> User-Agent: eyeBeam > >> <<<<<<<<<<<<<< >> > >> 19:23:31.417251 x.x.139.225.5060 > 176.58.68.20.10189: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> SIP/2.0 100 Trying > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 > >> From: ;tag=d909f80a > >> To: ;tag=51a346d4 > >> Call-ID: 2b6a574f323db602 > >> CSeq: 1 INVITE > >> User-agent: fxo/1.0 > >> Content-Length: 0 > >> > >> > >> <<<<<<<<<<<<<< >> [tos 0xb8] > >> 19:23:36.793012 x.x.139.225.5060 > 176.58.68.20.10189: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> SIP/2.0 180 Ringing > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 > >> Record-Route: > >> From: ;tag=d909f80a > >> To: ;tag=51a346d4 > >> Call-ID: 2b6a574f323db602 > >> CSeq: 1 INVITE > >> Contact: > >> User-agent: fxo/1.0 > >> Content-Length: 0 > >> > >> > >> <<<<<<<<<<<<<< >> [tos 0xb8] > >> 19:23:36.833967 x.x.139.225.5060 > 176.58.68.20.10189: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> SIP/2.0 200 OK > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 > >> Record-Route: > >> From: ;tag=d909f80a > >> To: ;tag=51a346d4 > >> Call-ID: 2b6a574f323db602 > >> CSeq: 1 INVITE > >> Contact: > >> User-agent: fxo/1.0 > >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE > >> Content-Type: application/sdp > >> Content-Leng > >> <<<<<<<<<<<<<< >> [tos 0xb8] > >> 19:23:37.060875 176.58.68.20.10189 > x.x.139.225.5060: > >> >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> > >> ACK sip:14734050088@x.x.139.225:5060 SIP/2.0 > >> To: ;tag=51a346d4 > >> From: ;tag=d909f80a > >> Via: SIP/2.0/UDP > >> 176.58.68.20:10189;branch=z9hG4bK-d87543-154025872-1--d87543-;rport > >> Call-ID: 2b6a574f323db602 > >> CSeq: 1 ACK > >> Route: > >> Contact: > >> Max-Forwards: 70 > >> User-Agent: eyeBeam release 3007n stamp 17816 > >> Content-Length: 0 > >> > >> > >> <<<<<<<<<<<<<< >> > >> > >> --------------- > >> -------------- > >> ------------ > >> > >> On Fri, 1 Nov 2013, Jay Hennigan wrote: > >> > >> > On 11/1/13 12:04 PM, Matt Yaklin wrote: > >> >> > >> >> Approx 60-70 calls. > >> > > >> > If more than one overlapping you can rule out the physical FXO > >> port. > >> > > >> > -- > >> > Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net > >> > Impulse Internet Service - http://www.impulse.net/ > >> > Your local telephone and internet company - 805 884-6323 - WB6RDV > >> > _______________________________________________ > >> > VoiceOps mailing list > >> > VoiceOps@voiceops.org > >> > https://puck.nether.net/mailman/listinfo/voiceops > >> > > >> _______________________________________________ > >> VoiceOps mailing list > >> VoiceOps@voiceops.org > >> https://puck.nether.net/mailman/listinfo/voiceops > >> > >> > >