<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>When he says “customers” I am assuming he means remote customers. It sounds like he is a reseller of telecom facilities to me. Which means his customers most likely have ATA’s with port 5060 forwarded to the ATA, or they are direct on the I’net.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>He has already set the ATA to only allow calls from the proxy server, so sounds like he has plugged the hole.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>They are not ‘sniffing’ your traffic, they are guessing/scanning. That’s it, that’s all, no great conspiracy going on. They look for open 5060, then send SIP requests to it hopefully finding a badly implemented SIP solution to which they can dial through. Once they determine they cannot get through, the script will move on to the next sucker.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You have a couple of options, which you could implement at *<b>each</b>* of your customers if you wanted. Set up a VPN, tunnel the SIP/RTP traffic through it. Set up IPTables at the customer to only allow SIP from your IP. Or, do what you have already done and forget about these idiots doing the scan, they are harmless at this point.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Vlans and DMZ for the server do no good as the attacks are being directed at the remote client side, not the server.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] <b>On Behalf Of </b>Ricardo Carvalho<br><b>Sent:</b> Monday, February 28, 2011 6:31 AM<br><b>To:</b> Asterisk Users Mailing List - Non-Commercial Discussion<br><b>Subject:</b> Re: [asterisk-users] asterisk security....again<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Probably, you are receiving INVITE attacks from some tool like sipvicious. You should rearange your network to cover some inportant security issues.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The IP address of you server can be revealed in some unincrypted SIP signaling of some call through the Internet to/from your server's client, or simply by your client SRV record in the DNS, if you added it to his DNS.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Probably your network is exposed to the Internet. To address those situations, you can use a distinct VLAN to address SIP phones and you also can use port security at the switching ports where you connect your ATAs and phones. You should also deliver with tagging (802.1Q) that VLAN to those ATAs and phones. This should protect you from inside sniffers.<o:p></o:p></p></div><div><p class=MsoNormal>This VLAN should just communicate with the DMZ where you should have your asterisk server and between those two networks you should only open the needed ports - for a common SIP infrastructure you should open UDP 5060 and the specified UDP range shown in rtp.conf file for the media to pass. Phones VLAN should not communicate directlly with the world, just in the outbound direction if you like. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Regards,<o:p></o:p></p></div><div><p class=MsoNormal>Ricardo Carvalho.<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Feb 28, 2011 at 10:33 AM, Rizwan Hisham <<a href="mailto:rizwanhasham@gmail.com">rizwanhasham@gmail.com</a>> wrote:<o:p></o:p></p><p class=MsoNormal>Hi all,<br>The problem I have been experiencing since last month is that some of my customers are getting calls with "Asterisk <Unknown>" caller id. Most of them in the middle of the night. And my asterisk server has no record of these calls. The customers were getting irritated as you can imagine. I guessed the only way to receive incoming calls by by-passing the registration server is thru sip-uri calls directly to customers. I have updated the customers atas to not accept any calls from sources other than the registration server. Thats all fine now. But the question is how can anyone know the direct sip uri addresses of our customers.<br><br>My guess is that someone has been sniffing my server's sip traffic. In that case what should i do to get rid of the sniffers?<br><br>If you think there is another reason for that then please tell me even if you dont have the solution.<br><br>Thanks<br><span style='color:#888888'><br>-- <o:p></o:p></span></p><div><p class=MsoNormal><span style='color:#888888'>Best Ragards<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>Rizwan Qureshi<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>VoIP/Asterisk Engineer<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>Axvoice Inc.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>V: +92 (0) 3333 6767 26<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>E: <a href="mailto:rizwanhasham@gmail.com" target="_blank">rizwanhasham@gmail.com</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>W: <a href="http://www.axvoice.com/" target="_blank">www.axvoice.com</a><o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#888888'><br><br></span><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>