[asterisk-users] Decoding SIP register hack

sean darcy seandarcy2 at gmail.com
Thu May 17 10:18:39 CDT 2018 

I need some help understanding SIP dialog. Some actor is trying to 
access my server, but I can't figure out what he's trying to do ,or how.

I'm getting a lot of these warnings.

[May 17 10:08:08] WARNING[1532]: chan_sip.c:4068 retrans_pkt: 
Retransmission timeout reached on transmission 
_zIr9tDtBxeTVTY5F7z8kD7R.. for seqno 101

With SIP DEBUG I tracked the Call-ID to this INVITE :

<--- SIP read from UDP:192.111.139.146:29281 --->
INVITE sip:+48223079992 at 67.80.191.250:5060 SIP/2.0
Via: SIP/2.0/UDP 
100.149.241.68:5060;branch=z4hG4bK-966187-1---q9ft4HdLB4ZeBqs;rport=5060
Contact: 
<sip:9353 at 100.149.241.68:5060>;+sip.instance="<urn:uuid:4B444A32-23FD-4E49-8C99-12077A118D8F>"
Max-Forwards: 70
To: <sip:+48223079992@<my-ip>:5060>
From: "Caller"<sip:9353@<my-ip>:5060>;tag=sXPNixD5Ui42V
Call-ID: _zIr9tDtBxeTVTY5F7z8kD7R..
CSeq: 101 INVITE
Content-Type: application/sdp
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
REGISTER, SUBSCRIBE, INFO
Supported: replaces
User-Agent: GSM
Allow-Events: hold, talk, conference
Accept: application/sdp
Content-Length: 771

v=0
o=CiscoSystemsSIP-IPPhone 18338 11953 IN IP4 100.149.241.68
s=SIP Call
c=IN IP4 100.149.241.68
t=0 0
m=audio 20000 RTP/AVP 0 8 18 101
a=rtpmap:3 gsm/8000
a=rtpmap:96 speex/8000
a=rtpmap:97 speex/8000
a=fmtp:97 mode=2
a=rtpmap:98 speex/8000
a=fmtp:98 mode=5
a=rtpmap:99 speex/8000
a=fmtp:99 mode=7
a=rtpmap:107 speex/32000
a=fmtp:107 mode=10
a=rtpmap:0 pcmu/8000
a=rtpmap:8 pcma/8000
a=rtpmap:108 ilbc/8000
a=rtpmap:113 g7231/8000
a=rtpmap:18 g729/8000
a=rtpmap:100 G726-16/8000
a=rtpmap:101 G726-24/8000
a=rtpmap:2 G726-32/8000
a=rtpmap:2 G726-32/8000
a=rtpmap:103 G726-40/8000
a=rtpmap:4 g723/8000
a=fmtp:18 annexb=no
a=rtpmap:109 ilbc/8000
a=fmtp:109 mode=20
a=rtpmap:110 telephone-event/8000
a=fmtp:110 0-15
a=ptime:20
a=sendrecv
<------------->
--- (15 headers 34 lines) ---
Sending to 192.111.139.146:29281 (NAT)
Sending to 192.111.139.146:29281 (NAT)
Using INVITE request as basis request - _zIr9tDtBxeTVTY5F7z8kD7R..
No matching peer for '9353' from '192.111.139.146:29281'
..............
Which then generates a lot of transmissions showing Unauthorized:
..............
Retransmitting #10 (NAT) to 192.111.139.146:29281:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 
100.149.241.68:5060;branch=z4hG4bK-966187-1---q9ft4HdLB4ZeBqs;received=192.111.139.146;rport=29281
From: "Caller"<sip:9353@<my-ip>:5060>;tag=sXPNixD5Ui42V
To: <sip:+48223079992@<my-ip>:5060>;tag=as1f60e6dd
Call-ID: _zIr9tDtBxeTVTY5F7z8kD7R..
CSeq: 101 INVITE
Server: Asterisk PBX 13.21.0-rc1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, 
INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home", 
nonce="0794806c"
Content-Length: 0


1. What's this guy trying to do ? It looks like he's trying to generate 
a call from the server to a Polish number. Why bother ?

2. What's the role of the Via and the Contact line ?  The 100.149.241.68 
seems to be a cell phone. 100.128.0.0/9 is T-mobile.

3. How do I set up the server to block these ?

4. Can I stop the retransmitting of the 401 Unauthorized packets ?

Any help appreciated.

sean

More information about the asterisk-users mailing list