Jump to content

? PBX attack pass international calls


Recommended Posts

I'm receiving bizarre calls I believe are an
attempt to pass toll calls through my server.


Several inbound calls on my SIP trunk are
show as from '100 (100)' in the call long.

And the 'to' field shows one of these:


00972597841671 (00972597841671)

0972597841671 (0972597841671)

9011441904898504 (9011441904898504)

011441904898504 (+441904898504)


From this format, it appears someone is trying
various formats to dial either Israel or the U.K.


There is no extension 100 registered, and because
these calls apparently ring local extensions, no
external call has actually completed. But because
the call log shows an invalid 'from' and a 'to' that
may be a valid international number, it appears
there is some external access to the server.


This really concerns me; what's going on here? Dave


Here is a segment of the SIP logfile:


SIP/2.0 200 OK

Via: SIP/2.0/UDP <server local IP address>:5060;branch=z9hG4bK-22c1c73a8c11f54f47aaffcf117679bc;rport=5060;received=
From: "100" <sip:100@pbx.company.com;user=phone>;tag=24006
To: "00972597841671" <sip:00972597841671@<public IP address>;user=phone>;tag=635631766
Call-ID: 7d6ccdf3@pbx
CSeq: 30725 BYE
Allow-Events: talk, hold, conference, LocalModeStatus
Server: Aastra 9480iCT/
Supported: path
Content-Length: 0

Link to comment
Share on other sites

This is why you should set the outbound proxy of your trunk. The JavaScript warning is there for a reason. Unfortunately this is not mandatory, because the IETF did not envision that calls from anywhere in the Internet could be fraud calls. At least it seems that you don't have routed the call to an outbound trunk, so that whoever did that could not get anything out if it. Anyway, use the outbound proxy or even better specify the IP addresses where the trunk expects traffic from.

Link to comment
Share on other sites

Thanks for an incredibly quick reply!


My ITSP specifically recommends not to set an
outbound proxy; that's why I didn't set one. They
explained when I asked that it's about their
servers not being load-balanced for in/out calls.


Because I do have the ITSP SIP server specified,
I thought that would be the only inbound route,
but I'm apparently wrong. Where do I 'specify the
IP address where the trunk expects traffic from'? Dave

Link to comment
Share on other sites

There is a settings called "Explicitly list addresses for inbound traffic" where you can list the IP addresses that are allowed. You can use the following commands to get an idea about the addresses (in Linux):

host -t NAPTR provider.com
host -t SRV _sips._tcp.provider.com
host -t SRV _sip._tls.provider.com
host -t SRV _sip._tcp.provider.com
host -t SRV _sip._udp.provider.com
host -t AAAA provider.com
host -t A provider.com
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...