Jump to content

System Under Attack

Bill H

Recommended Posts

I have an older PBXNSIP CS-410 Version 3 system where someone, or more likely something (scanner), is trying to make calls to foreign countries.

Since the customer does not make international calls I have blocked the International Calling Code of 011 and the telco service provider has also blocked it.

That stopped that portion of the trouble.

A SIP Trace shows that the calls were from an Unregistered Extension.

What happens now is that these Unregistered Extension calls go to the first extension (Ext 221) in the CS-410 and end up in that persons mailbox as dead air.

I did catch the IP Address of the scanner once and placed it in the Access Blocked Table, but it seems they change their IP Address to get around the blocking.

I looked for a feature within the CS-410 to block Unregistered Extensions from making calls, but did not see anything that looked like it would do the job.

My next and maybe last option is to block Access to everything except certain IP Addresses in the Access area.

Does anyone have any additional ideas?


Link to comment
Share on other sites

Well version 3 did not have any protection against this. At those times, scanners were not very common yet. You can use the Linux iptables to block certain IP addresses; however this is tedious labor as those scanner keep on changing their IP addresses. But what you can do on version 3 is make sure that your passwords are reasonably secure and your trunks have the outbound proxy set. Then someone might be able to try out a lot of passwords and extension numbers, but will not succeed getting anything out of the system and eventually move on.

Link to comment
Share on other sites

Thank you for your response.


The scanner is not trying to Register at all, they are just sending a fake Invite to the CS-410.


Why would this type of call ring the first extension in the CS-410?


Also, the scanner is using a 46.4.100.xxx IP Address.


Can I use with to block all packets from the entire range?


Thanks again

Link to comment
Share on other sites

This attack may occur if you don't specify an outbound proxy on your trunk. The PBX may think that the call comes from a trunk if you don't tell the PBX where the traffic will go to (and come from).


As far as I remember version 3 did not have IP blocking? Anyway, it would not hurt to block the IP as far as I can tell. I would use with a netmask of instead.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...