<div dir="ltr">On Tue, Nov 12, 2013 at 6:05 PM, Hiers, David <span dir="ltr"><<a href="mailto:David.Hiers@adp.com" target="_blank">David.Hiers@adp.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Maybe someone is spoofing your SBC IP address?<br></blockquote><div>�</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I can't see what useful info would be gained from such spoofing, but enough of these could DOS you pretty hard.<br></blockquote><div><br></div><div>I would suggest capturing packets towards the devices experiencing it, behind the NAT device, using Wireshark ----- � I would wonder first if either the �NAT/ACL �isn't working as designed; �or traffic is coming from a SIP ALG / �inside the NAT; �spoofing the SBC's �source IP seems terribly unlikely.<br>
</div><div><br></div><div>I think it's more likely, there's an unexpected way the Polycom is being contacted, �such as a proxy service on a router.</div><div><br></div><div><br></div><div>Then there is that matter of; � �"Does your NAT device verify the foreign IP address of reverse traffic �like a full stateful firewall would, � or does it just �check �the destination port number on an incoming packet, �and immediately � translate �to internal IP based on the destination port number �and forward �to the internal device?"<br>
</div><div><br></div><div>In the latter case, �the internal device might be contacted on port 5060 �from other �internet hosts �scanning the ephemeral port range; � if that 5060 from the internal device �has recently been used as a source port from the Polycom contacting the SBC.</div>
<div><br></div><div><br></div><div>So a full packet capture from the network with the handsets, could give you a better idea, �of what you are seeing.</div><div><br></div><div>�</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
David<br>
<div><div class="h5"></div></div></blockquote></div>--</div><div class="gmail_extra">-JH</div></div>