Own IPs blacklisted

[bs01]

We have noticed over the past few days that our IP (dynamic) is being blacklisted because of failed SIP registrations. I can't work out why this is happening, but it seems to be a problem with an expired IP still being stored somewhere.

 

The IP address 92.227.31.* has been blacklisted for 60 minutes because there were 4 unsuccessful authentication attempts (sip).
REGISTER sip:***.eu SIP/2.0
Via: SIP/2.0/UDP 78.51.207.*:64567;branch=z9hG4bKe3t97xvquk3criszb
Max-Forwards: 70
From: <sip:3431@***.eu>;tag=g9w.sbs
To: <sip:3431@***.eu>
Call-ID: 05ve9z3jk.wg.
CSeq: 35604 REGISTER
Contact: <sip:3431@78.51.207.*:64567;line=26375>
Allow: INVITE, CANCEL, BYE, ACK, REGISTER, OPTIONS, REFER, SUBSCRIBE, NOTIFY, MESSAGE, INFO, PRACK
Expires: 600
User-Agent: snom-m3-SIP/02.11 (MAC=0004132A****; HW=1)
Content-Length: 0

 

The IP 78.51.207.* hadn't been assigned to the phone for about 18 hours. The current IP is 92.227.31.* and this is the one that is being blacklisted. Each time it seems to be adifferent extension.

 

Is this a phone problem or a PBX problem? I don't want to disable blacklisting, but we can't have our phones deregistering every day because of this. I have tried to find the cause of the problem but nowhere is there any record of the old IP not expiring.

 

Is there any way to whitelist phones apart from with the IP, which we can't because they are dynamic?

[Vodia PBX]

Apart from scanners in the internet, even valid devices with wrong passwords can be a problem as some of them retry to register without thinking, which becomes a DoS. Maybe that is the case with this m3.

 

Other problem cases are when a snom phone with an extension board uses a SIP subscription ("dialog" state) for each button, which also looks like DoS for the PBX (workaround: use the button assignment on the PBX).

 

The whitelisting works only on the IP address. This can be a problem especially when there are multiple devices behind a NAT router and one of them has the wrong password, which can blacklist all devices behind that NAT.

[pbx support]

Other option is to increase the "Number of tolerated attempts" to 10 or 20 or so. This should take care of most of the problem. But at the same time, "unwanted" devices (scanners) will be blacklisted slowly.

[bs01]

Thanks for the suggestions. The extensions on the m3s all have the correct passwords as they are usually registered on the pbx and work without problem. The blacklisting also only occurs at irregular intervals and up until now each time it was a different extension causing it each time.

 

I will try increasing the number of tolerated attempts and see if that solves it. I still think something strange is going on with the IPs though. The second IP should not be in the log at all as it is no longer attached to the phone. Any ideas where that might be coming from? Or is this not relevant?