Carlos Montemayor Posted May 27, 2015 Report Share Posted May 27, 2015 Hi, I know this is going to sound weird, but well, it is happening to us. A few days a go, a couple of Yealink phones started to behave strangely. They started to ring, as if there was an incoming call from another extension, and since such extensions do not exist in the domain, they should not happen at all. The calls are not recorded in the call log and they do not show up in the active calls window. If you answer them, there is no audio whatsoever. It is really a problem because during a single working they , there can be from 50 to 100 phantom calls during a single working day. I believe this has nothing to do with the pbx, although the caller ID of the calls appear to be the same as existing extensions in other domains (could be just a coincidence). One of the phones, a T20, stop this weird behavior by stepping it down a couple of firmware versions. The other, a T22, I have yet to find a cure. Has this happen to somebody else? Regards Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 27, 2015 Report Share Posted May 27, 2015 These days it is easy to get paranoid. Are they somehow accessible from the public Internet? Maybe there is a scanner that is causing those calls. We got bashed in the old days for dropping packets not coming from the registrar as it is not RFC compliant; but now in the world we are living in such RFC compliance can hit you hard. I don't think this is a software bug on the phones per se. There must be some traffic hitting the phone. Maybe there is a way to find out with PCAP and port mirroring on the switch they are connected to. If there are so many calls per day it should be easy to find out where it comes from (unless they also spoof the source IP, which is easy on UDP). At least we can see if the packet comes from the PBX. Quote Link to comment Share on other sites More sharing options...
John Posted May 27, 2015 Report Share Posted May 27, 2015 Yep, these aren't calls. Someone is scanning you using sip vicious. This is how I got rid of these calls for good: 1. Update the Firmware, 2. Go to Features --> General Information and set Allow IP Call to Disabled, 3. Use the Yealink Configuration Generator Tool and find the option account.1.sip_trust_ctrl. Select it, Set value to 1, save the configuration file and import it to the phone. If you have more accounts on the phone, you need to do this for all the accounts. Hope it helps. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 27, 2015 Report Share Posted May 27, 2015 This is how I got rid of these calls for good: 1. Update the Firmware, 2. Go to Features --> General Information and set Allow IP Call to Disabled, 3. Use the Yealink Configuration Generator Tool and find the option account.1.sip_trust_ctrl. Select it, Set value to 1, save the configuration file and import it to the phone. If you have more accounts on the phone, you need to do this for all the accounts. Is that something that we should include in the yealink provisioning template? Quote Link to comment Share on other sites More sharing options...
Carlos Montemayor Posted May 27, 2015 Author Report Share Posted May 27, 2015 Hi, Updating the firmware had already decreased the problem to about 50% Disallowing IP Calls seems to have reduced the problem to zero. (Although it may be too soon to evaluate) I found the Yealink Configuration Tool and also the option account.1.sip_trust_ctr. However, the options are only "disable" and "enable" and therefore cannot set it to "1" (no such option) Now that I understand that I had a couple of sites under attack, I increased the level of security of the firewall on the sites routers. Thanks for the good advice. Besides the risk, receiving about a hundred phantom calls is a big nuisance. One of the phones (the T20) was in a demo with a potential customer, I figure that I would not be able to close the sale with that behavior Can you elaborate on the option account.1.sip_trust_ctrl ? That was the only piece of advice that I could not implant. Regards and thanks again Quote Link to comment Share on other sites More sharing options...
John Posted May 28, 2015 Report Share Posted May 28, 2015 Hello, My mistake. By 1 I meant Enabled (after enabling it and clicking Add you will see why I got confused). Is that something that we should include in the yealink provisioning template? From a security perspective sounds right (and not just for Yealink phones. For instance, I have seen Polycom phones with the same issues). But further and more thorough testing is required. I mainly have experience with T2X series and I am not sure if these settings are available in all Yealink phone models. Also note that account.1.sip_trust_ctr wasn't available in previous firmware versions (If I remember correctly it was introduced in version X.72.0.30). By the way: Yealink T20(P) is EoL and according to our suppliers Yealink T22P(P) as well (although still listed as a current model in Yealink's web site). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.