New Forum system requires email address which you used to apply for your account to replace your original username. Password stays the same.Please see this post for more details
http://forum.yealink.com/forum/showthread.php?tid=40344

Yealink Test Club has been officially launched. Please visit post below to get detail information. Come and join us!
http://forum.yealink.com/forum/announcements.php?aid=18

We just had the YMCS online and we are also working on the features plan on the future versions, in this regard we are need to hear your voice about the YMCS.
Please visit : http://forum.yealink.com/forum/showthread.php?tid=42322


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Protection against SIP vicious on wp52 and above
Author Message
MikeHughes@kube Offline
Junior Member
**

Posts: 3
Joined: Apr 2013
Reputation: 0
Post: #1
Protection against SIP vicious on wp52 and above
Hope,

Hope you can help. Is there any additional ways you can advise on how to stop and give protection against SIP vicious attacks or another SIP scanner? We have a few client getting so called "ghost calls"

Would changing the port from 6050 help and to TCP? ( i know SIP is not meant to on TCP) but i need to find a way to protect these phones.

The main phones that we see are W52, T20, T22, T26, T28... To date I have not see in this issue on t42s, 46, or on t48

If you could advise

Many Thanks
M
12-13-2014 05:42 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
complex1 Offline
3CX Adv. Cert. Engineer
*****

Posts: 724
Joined: Jan 2014
Reputation: 22
Post: #2
RE: Protection against SIP vicious on wp52 and above
Hi,

You are not the first who have issues with ghost calls.
Please do a search on this forum.
You can find a lot of answers and solutions to your question.

Kind regards.
12-14-2014 05:56 AM
Find all posts by this user    like1    dislike0 Quote this message in a reply
MikeHughes@kube Offline
Junior Member
**

Posts: 3
Joined: Apr 2013
Reputation: 0
Post: #3
RE: Protection against SIP vicious on wp52 and above
Thanks for the reply. However, if take a quick look at my question again ( on the first part ) I was asking for any additional ways. I have explored this matter in great detail and I see most posts don't really resolve the matter.

Maybe if Yealink could release or advise on a firmware versions that could take care of it. Then we could push this out.

It's interstiing that Cisco and Polycom don't have this issue.

Thanks
12-14-2014 06:55 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
James_Yealink Offline
Administrator
*******

Posts: 1,159
Joined: Aug 2014
Reputation: 8
Post: #4
RE: Protection against SIP vicious on wp52 and above
Hi Mike,

Generally the behavior about ghost call to T4x and T2x should be same. Maybe T4x series happen to not receive a vicious attacks or they are not in a same subnet.
In official stable version of 73 we will add the option "sip trust control" to web interface. It will be under account-> Advanced interface.

End users can prevent the ghost call easier that time.

Regards,
James
(This post was last modified: 12-15-2014 10:30 AM by James_Yealink.)
12-15-2014 10:30 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
mkeuter Offline
Asterisk Integrator
***

Posts: 81
Joined: Jul 2013
Reputation: 3
Post: #5
RE: Protection against SIP vicious on wp52 and above
But the best way to protect against SIP scanners is to do this on your firewall or SIP-PBX (or SIP Proxy) and let run "external" phones through a VPN. Cause on the phone there will always be limited resources.

Example: in AstLinux (Asterisk Linux distro) we have a firewall plugin where you can define the useragents of the SIP scanners e.g. "friendly-scanner sipcli VaxSIPUserAgent".
http://www.astlinux.org

Michael

http://www.mksolutions.info
12-15-2014 10:14 PM
Visit this user's website Find all posts by this user    like0    dislike0 Quote this message in a reply
saulgoodwin Offline
Junior Member
**

Posts: 4
Joined: Oct 2014
Reputation: 0
Post: #6
RE: Protection against SIP vicious on wp52 and above
Hi kids,

Just a quick note.
In the latest Yealink Firmware there is an option Accept Sip Trust Server Only. By default it is set to Diabled.
Try changing it to Enabled.
You can find the option under Accounts -> Advanced.
It is at the very bottom of the list.

Tested on T20, T21, T26.

Hope that helps.
02-16-2015 04:47 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
pgtipicall Offline
Junior Member
**

Posts: 2
Joined: May 2014
Reputation: 0
Post: #7
RE: Protection against SIP vicious on wp52 and above
(02-16-2015 04:47 PM)saulgoodwin Wrote:  Hi kids,

Just a quick note.
In the latest Yealink Firmware there is an option Accept Sip Trust Server Only. By default it is set to Diabled.
Try changing it to Enabled.
You can find the option under Accounts -> Advanced.
It is at the very bottom of the list.

Tested on T20, T21, T26.

Hope that helps.

So I installed a SIP Vicious on a Raspberry Pi and ran a scan on our local network and discovered all Yealink phones, sent a blank invite to a device and it rang.

Easy when you are in the internal network, my colleague changed a setting on his phone and it now no longer rings.

Surely the issue here is that the device connecting the phones to the service is not secure? If it's locked down to a specific IP then it should not be a problem?

Thanks
Paul
02-17-2015 07:30 PM
Visit this user's website Find all posts by this user    like0    dislike0 Quote this message in a reply
saulgoodwin Offline
Junior Member
**

Posts: 4
Joined: Oct 2014
Reputation: 0
Post: #8
RE: Protection against SIP vicious on wp52 and above
Hi Paul,

When you say your colleague changed a setting on his phone which setting do you refer to ?
By setting Accept Sip Trust Server Only to Enable you do indeed lock your phone down to a specific IP. Once it is set to Enable phone will only only accept packets from IPs mentioned in Accounts tab.
02-23-2015 12:26 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
michael@newcoit.com Offline
Junior Member
**

Posts: 2
Joined: Feb 2015
Reputation: 0
Post: #9
RE: Protection against SIP vicious on wp52 and above
This is incorrect, at least as far as invites are concerned and according to my current understanding.

I have pushed a config to a T46 with the Accept Sip Trust option set to 1, the phone will STILL accept bogus invites from an inviteflood tool (Tested using inviteflood tool in Kali Linux, FWIW)

The setting I have found that PREVENTS bogus SIP Invites from ringing the phone is "Allow Direct IP Call" found under General > Features - set it to disabled and then send an Invite to your phone and you will see this prevents this type of attack.

The issue at hand is not particularly the phone server being locked down (you still do want to lock down your phone server as much as possible), it's your edge device, your firewall running NAT which the phones are behind, which is intermittently allowing random SIP Invites through NAT due to NAT pinholing. This becomes a problem with remote phones across the internet if you have any phones in that scenario - you will find ghost calls sometimes will ring those phones due to the above mentioned issue.

I've got a separate thread about it - I've been looking at finding the specific .cfg entry myself in order to automate disabling Allow IP Call.


(02-23-2015 12:26 AM)saulgoodwin Wrote:  Hi Paul,

When you say your colleague changed a setting on his phone which setting do you refer to ?
By setting Accept Sip Trust Server Only to Enable you do indeed lock your phone down to a specific IP. Once it is set to Enable phone will only only accept packets from IPs mentioned in Accounts tab.
02-23-2015 10:53 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
khadi Offline
Junior Member
**

Posts: 1
Joined: Oct 2014
Reputation: 0
Post: #10
RE: Protection against SIP vicious on wp52 and above
Hello,

Please could you help me, I did not find the option as '' Allow Direct IP call '' or '' Accept Sip Trust Server Only '' in the SIP-W52P phone, my client receive sip calls every 15 min.

Thank for your help,
07-16-2015 12:19 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication