Ghost Calls from Port Scanning

[gykovacs]

Hi support,

I have just faced with the same problem, port scanner rings my phones. I have tried the suggested solutions, but this disable the registration to my SIP server too.

T22P phone with FW 7.72.0.25

account.1.sip_trust_ctrl=1
account.2.sip_trust_ctrl=1
account.3.sip_trust_ctrl=1

Direct IP calls need for click2dial application so I can't disable.

Here are my logs (note: valid IP addresses and domain names were replaced because of security purpose)

> Apr 24 17:44:12 SIP [450]: SUA <5+notice> [000] DNS query:Found in Cache
> Apr 24 17:44:12 SIP [450]: DNS <6+info > [DNS] dns record 0: removed.example.com/111.222.333.444
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] DNS resolution with 111.222.333.444:5060
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Message sent: (to dest=111.222.333.444:5060)
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000]
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] REGISTER sip:removed.example.com SIP/2.0^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Via: SIP/2.0/UDP 10.6.118.22:5072;branch=z9hG4bK1557744813^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] From: "209" <sip:209@removed.example.com>;tag=1736150681^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] To: "209" <sip:209@removed.example.com>^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Call-ID: 579639055@10.6.118.22^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] CSeq: 1 REGISTER^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Contact: <sip:209@10.6.118.22:5072>^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Max-Forwards: 70^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] User-Agent: Yealink SIP-T22P 7.72.0.25^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Expires: 3600^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Allow-Events: talk,hold,conference,refer,check-sync^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Content-Length: 0^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] ^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000]
> Apr 24 17:44:12 SIP [450]: SDL <5+notice> [000] send request retransmission (id=1)^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Received message:
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000]
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] SIP/2.0 401 Unauthorized^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Via: SIP/2.0/UDP 10.6.118.22:5072;branch=z9hG4bK1557744813;received=222.333.444.555;rport=5072^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] To: "209"<sip:209@removed.example.com>;tag=fdfa5237^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] From: "209"<sip:209@removed.example.com>;tag=1736150681^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Call-ID: 579639055@10.6.118.22^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] CSeq: 1 REGISTER^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] WWW-Authenticate: Digest realm="example",algorithm=MD5,nonce="53594d543bc71f60f7d560d4b656e40f3176ab17",qop="auth",opaque="",stale=false^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Content-Length: 0^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] ^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000]
> Apr 24 17:44:12 SIP [450]: SUA <6+info > [000] SIPTrustCtrl IS Enable
> Apr 24 17:44:12 SIP [450]: SUA <3+error > [000] IP:[111.222.333.444] is NO found in the dns cache,discard this message!

The phone knows the IP address of the server, sends out the registration message, but after a little bit later the same IP address is not trusted already.
"IP:[111.222.333.444] is NO found in the dns cache,discard this message".
The registration is based on SRV records, the SRV contains 2 IP addresses with priority. In the logs I see only one IP address (the one with highest priority) if it counts.
Any advice?