Ghost Calls from Port Scanning

[ctiefel]

(04-25-2014 08:09 PM)gykovacs Wrote:  Hi support,

I have just faced with the same problem, port scanner rings my phones. I have tried the suggested solutions, but this disable the registration to my SIP server too.

T22P phone with FW 7.72.0.25

account.1.sip_trust_ctrl=1
account.2.sip_trust_ctrl=1
account.3.sip_trust_ctrl=1

Direct IP calls need for click2dial application so I can't disable.

Here are my logs (note: valid IP addresses and domain names were replaced because of security purpose)

> Apr 24 17:44:12 SIP [450]: SUA <5+notice> [000] DNS query:Found in Cache
> Apr 24 17:44:12 SIP [450]: DNS <6+info > [DNS] dns record 0: removed.example.com/111.222.333.444
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] DNS resolution with 111.222.333.444:5060
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Message sent: (to dest=111.222.333.444:5060)
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000]
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] REGISTER sip:removed.example.com SIP/2.0^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Via: SIP/2.0/UDP 10.6.118.22:5072;branch=z9hG4bK1557744813^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] From: "209" <sip:209@removed.example.com>;tag=1736150681^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] To: "209" <sip:209@removed.example.com>^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Call-ID: 579639055@10.6.118.22^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] CSeq: 1 REGISTER^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Contact: <sip:209@10.6.118.22:5072>^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Max-Forwards: 70^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] User-Agent: Yealink SIP-T22P 7.72.0.25^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Expires: 3600^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Allow-Events: talk,hold,conference,refer,check-sync^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Content-Length: 0^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] ^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000]
> Apr 24 17:44:12 SIP [450]: SDL <5+notice> [000] send request retransmission (id=1)^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Received message:
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000]
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] SIP/2.0 401 Unauthorized^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Via: SIP/2.0/UDP 10.6.118.22:5072;branch=z9hG4bK1557744813;received=222.333.444.555;rport=5072^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] To: "209"<sip:209@removed.example.com>;tag=fdfa5237^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] From: "209"<sip:209@removed.example.com>;tag=1736150681^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Call-ID: 579639055@10.6.118.22^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] CSeq: 1 REGISTER^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] WWW-Authenticate: Digest realm="example",algorithm=MD5,nonce="53594d543bc71f60f7d560d4b656e40f3176ab17",qop="auth",opaque="",stale=false^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] Content-Length: 0^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000] ^M
> Apr 24 17:44:12 SIP [450]: SDL <6+info > [000]
> Apr 24 17:44:12 SIP [450]: SUA <6+info > [000] SIPTrustCtrl IS Enable
> Apr 24 17:44:12 SIP [450]: SUA <3+error > [000] IP:[111.222.333.444] is NO found in the dns cache,discard this message!

The phone knows the IP address of the server, sends out the registration message, but after a little bit later the same IP address is not trusted already.
"IP:[111.222.333.444] is NO found in the dns cache,discard this message".
The registration is based on SRV records, the SRV contains 2 IP addresses with priority. In the logs I see only one IP address (the one with highest priority) if it counts.
Any advice?

The newer firmware has an option in the General Settings called "Allow IP Call". Have you tried setting this to "Disabled"?