Preventing bogus SIP invites.

[Glacier]

Hello

Periodically some of our T38 IP phones receives ghost calls, due to getting SIP invites from an external source, other than our VOIP provider.
I have read the posts explaning how to configure the phones, to ignore these invites. However what i couldn't figure out was, how to the phones receive these invites in the first place?
Our firewall should block all outside-trafic trying to get in, and there isn't configured any portforwarding etc. to accommodate the VOIP trafic. So im a little lost on how the attackers manage to get SIP invites through the firewall and into the specific phones.

I could just configure the phones to igonore the direct ip calls, but i would rather stop it at the firewall-level.

Do we have a impropper configured firewall?

I hope anyone can shed som light on my issue.

Best regards
Esben

[Bryan Nelson]

Different firewalls implement NAT rules differently, and it sounds like your router uses "Full cone NAT" which results in a port being mapped to the WAN connection which any external host can send packets to.

"Restricted Cone NAT" is a more secure form of NAT, as it will only allow communication with the IP address the NAT mapping was established with. This effectively blocks the random external IP's from sending an invite to the NAT'd port on your WAN IP address. It also prevents service scans.

More info can be found here: http://think-like-a-computer.com/2011/09...es-of-nat/

You may need to replace your router, as it's rare to have any way to configure this. Temporarily, you can change to using TCP as your SIP transport, and\or change your local SIP port to something out of the standard 5060-5065 port range the attackers frequently scan.

Hope this helps!

[Glacier]

Thanks alot, that helped me quite a bit