This is incorrect, at least as far as invites are concerned and according to my current understanding.
I have pushed a config to a T46 with the Accept Sip Trust option set to 1, the phone will STILL accept bogus invites from an inviteflood tool (Tested using inviteflood tool in Kali Linux, FWIW)
The setting I have found that PREVENTS bogus SIP Invites from ringing the phone is "Allow Direct IP Call" found under General > Features - set it to disabled and then send an Invite to your phone and you will see this prevents this type of attack.
The issue at hand is not particularly the phone server being locked down (you still do want to lock down your phone server as much as possible), it's your edge device, your firewall running NAT which the phones are behind, which is intermittently allowing random SIP Invites through NAT due to NAT pinholing. This becomes a problem with remote phones across the internet if you have any phones in that scenario - you will find ghost calls sometimes will ring those phones due to the above mentioned issue.
I've got a separate thread about it - I've been looking at finding the specific .cfg entry myself in order to automate disabling Allow IP Call.
(02-23-2015 12:26 AM)saulgoodwin Wrote: Hi Paul,
When you say your colleague changed a setting on his phone which setting do you refer to ?
By setting Accept Sip Trust Server Only to Enable you do indeed lock your phone down to a specific IP. Once it is set to Enable phone will only only accept packets from IPs mentioned in Accounts tab.
»
Protection against SIP vicious on wp52 and above
