Yealink Forums
Protection against SIP vicious on wp52 and above - Printable Version

+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: General topics (/forumdisplay.php?fid=15)
+--- Thread: Protection against SIP vicious on wp52 and above (/showthread.php?tid=3002)

Pages: 1 2


Protection against SIP vicious on wp52 and above - MikeHughes@kube - 12-13-2014 05:42 PM

Hope,

Hope you can help. Is there any additional ways you can advise on how to stop and give protection against SIP vicious attacks or another SIP scanner? We have a few client getting so called "ghost calls"

Would changing the port from 6050 help and to TCP? ( i know SIP is not meant to on TCP) but i need to find a way to protect these phones.

The main phones that we see are W52, T20, T22, T26, T28... To date I have not see in this issue on t42s, 46, or on t48

If you could advise

Many Thanks
M


RE: Protection against SIP vicious on wp52 and above - complex1 - 12-14-2014 05:56 AM

Hi,

You are not the first who have issues with ghost calls.
Please do a search on this forum.
You can find a lot of answers and solutions to your question.

Kind regards.


RE: Protection against SIP vicious on wp52 and above - MikeHughes@kube - 12-14-2014 06:55 PM

Thanks for the reply. However, if take a quick look at my question again ( on the first part ) I was asking for any additional ways. I have explored this matter in great detail and I see most posts don't really resolve the matter.

Maybe if Yealink could release or advise on a firmware versions that could take care of it. Then we could push this out.

It's interstiing that Cisco and Polycom don't have this issue.

Thanks


RE: Protection against SIP vicious on wp52 and above - James_Yealink - 12-15-2014 10:30 AM

Hi Mike,

Generally the behavior about ghost call to T4x and T2x should be same. Maybe T4x series happen to not receive a vicious attacks or they are not in a same subnet.
In official stable version of 73 we will add the option "sip trust control" to web interface. It will be under account-> Advanced interface.

End users can prevent the ghost call easier that time.

Regards,
James


RE: Protection against SIP vicious on wp52 and above - mkeuter - 12-15-2014 10:14 PM

But the best way to protect against SIP scanners is to do this on your firewall or SIP-PBX (or SIP Proxy) and let run "external" phones through a VPN. Cause on the phone there will always be limited resources.

Example: in AstLinux (Asterisk Linux distro) we have a firewall plugin where you can define the useragents of the SIP scanners e.g. "friendly-scanner sipcli VaxSIPUserAgent".
http://www.astlinux.org


RE: Protection against SIP vicious on wp52 and above - saulgoodwin - 02-16-2015 04:47 PM

Hi kids,

Just a quick note.
In the latest Yealink Firmware there is an option Accept Sip Trust Server Only. By default it is set to Diabled.
Try changing it to Enabled.
You can find the option under Accounts -> Advanced.
It is at the very bottom of the list.

Tested on T20, T21, T26.

Hope that helps.


RE: Protection against SIP vicious on wp52 and above - pgtipicall - 02-17-2015 07:30 PM

(02-16-2015 04:47 PM)saulgoodwin Wrote:  Hi kids,

Just a quick note.
In the latest Yealink Firmware there is an option Accept Sip Trust Server Only. By default it is set to Diabled.
Try changing it to Enabled.
You can find the option under Accounts -> Advanced.
It is at the very bottom of the list.

Tested on T20, T21, T26.

Hope that helps.

So I installed a SIP Vicious on a Raspberry Pi and ran a scan on our local network and discovered all Yealink phones, sent a blank invite to a device and it rang.

Easy when you are in the internal network, my colleague changed a setting on his phone and it now no longer rings.

Surely the issue here is that the device connecting the phones to the service is not secure? If it's locked down to a specific IP then it should not be a problem?


RE: Protection against SIP vicious on wp52 and above - saulgoodwin - 02-23-2015 12:26 AM

Hi Paul,

When you say your colleague changed a setting on his phone which setting do you refer to ?
By setting Accept Sip Trust Server Only to Enable you do indeed lock your phone down to a specific IP. Once it is set to Enable phone will only only accept packets from IPs mentioned in Accounts tab.


RE: Protection against SIP vicious on wp52 and above - michael@newcoit.com - 02-23-2015 10:53 PM

This is incorrect, at least as far as invites are concerned and according to my current understanding.

I have pushed a config to a T46 with the Accept Sip Trust option set to 1, the phone will STILL accept bogus invites from an inviteflood tool (Tested using inviteflood tool in Kali Linux, FWIW)

The setting I have found that PREVENTS bogus SIP Invites from ringing the phone is "Allow Direct IP Call" found under General > Features - set it to disabled and then send an Invite to your phone and you will see this prevents this type of attack.

The issue at hand is not particularly the phone server being locked down (you still do want to lock down your phone server as much as possible), it's your edge device, your firewall running NAT which the phones are behind, which is intermittently allowing random SIP Invites through NAT due to NAT pinholing. This becomes a problem with remote phones across the internet if you have any phones in that scenario - you will find ghost calls sometimes will ring those phones due to the above mentioned issue.

I've got a separate thread about it - I've been looking at finding the specific .cfg entry myself in order to automate disabling Allow IP Call.


(02-23-2015 12:26 AM)saulgoodwin Wrote:  Hi Paul,

When you say your colleague changed a setting on his phone which setting do you refer to ?
By setting Accept Sip Trust Server Only to Enable you do indeed lock your phone down to a specific IP. Once it is set to Enable phone will only only accept packets from IPs mentioned in Accounts tab.



RE: Protection against SIP vicious on wp52 and above - khadi - 07-16-2015 12:19 AM

Hello,

Please could you help me, I did not find the option as '' Allow Direct IP call '' or '' Accept Sip Trust Server Only '' in the SIP-W52P phone, my client receive sip calls every 15 min.

Thank for your help,