SIP attacks on SPA

Discussion in 'UK VOIP' started by Mark, Nov 9, 2010.

  1. Mark

    Mark Guest

    Anyone else had an increasing number of SIP attacks on their ATA?

    Symptom was a series of reboots of my SPA3102 typically between 9pm
    and 11pm (I heard the PSTN relay clicking unexpectedly).

    Delving into the logs there were brute force SIP attacks followed by
    soft reboots on "out of memory" errors. It turns out this was
    happening several times per day.

    Fixed by restricting allowed IP to my service provider domain which is
    a severe clamp-down but no real problem for my usage.
    Mark, Nov 9, 2010
    #1
    1. Advertising

  2. In article <>,
    Mark <> wrote:
    >Anyone else had an increasing number of SIP attacks on their ATA?
    >
    >Symptom was a series of reboots of my SPA3102 typically between 9pm
    >and 11pm (I heard the PSTN relay clicking unexpectedly).
    >
    >Delving into the logs there were brute force SIP attacks followed by
    >soft reboots on "out of memory" errors. It turns out this was
    >happening several times per day.
    >
    >Fixed by restricting allowed IP to my service provider domain which is
    >a severe clamp-down but no real problem for my usage.


    Criminals the world over are constantly trying to steal resources from
    VoIP systems. This is no surprise, and it would not surprise me if once
    they have access to your ATA, they can then extract the SIP account
    credentials and use it for their own uses.

    What I do find surprising is that your ATA is accessable from the
    public Internet - are you port-forwarding to it, or is it on a dedicated
    IP address?

    If you don't need to port-forward to it, then don't...

    Gordon
    Gordon Henderson, Nov 9, 2010
    #2
    1. Advertising

  3. Mark

    Mark Guest

    On Tue, 9 Nov 2010 08:17:51 +0000 (UTC), Gordon Henderson
    <> wrote:

    >In article <>,
    >Mark <> wrote:
    >>Anyone else had an increasing number of SIP attacks on their ATA?
    >>
    >>Symptom was a series of reboots of my SPA3102 typically between 9pm
    >>and 11pm (I heard the PSTN relay clicking unexpectedly).
    >>
    >>Delving into the logs there were brute force SIP attacks followed by
    >>soft reboots on "out of memory" errors. It turns out this was
    >>happening several times per day.
    >>
    >>Fixed by restricting allowed IP to my service provider domain which is
    >>a severe clamp-down but no real problem for my usage.

    >
    >Criminals the world over are constantly trying to steal resources from
    >VoIP systems. This is no surprise, and it would not surprise me if once
    >they have access to your ATA, they can then extract the SIP account
    >credentials and use it for their own uses.
    >
    >What I do find surprising is that your ATA is accessable from the
    >public Internet - are you port-forwarding to it, or is it on a dedicated
    >IP address?


    It's behind a home router with a private IP address :(

    >
    >If you don't need to port-forward to it, then don't...


    I don't...
    Mark, Nov 9, 2010
    #3
  4. Mark

    Brian A Guest

    On Tue, 09 Nov 2010 08:25:03 +0000, Mark wrote:

    > On Tue, 9 Nov 2010 08:17:51 +0000 (UTC), Gordon Henderson
    > <> wrote:
    >
    >>In article <>, Mark
    >><> wrote:
    >>>Anyone else had an increasing number of SIP attacks on their ATA?
    >>>
    >>>Symptom was a series of reboots of my SPA3102 typically between 9pm
    >>>and 11pm (I heard the PSTN relay clicking unexpectedly).
    >>>
    >>>Delving into the logs there were brute force SIP attacks followed by
    >>>soft reboots on "out of memory" errors. It turns out this was
    >>>happening several times per day.
    >>>
    >>>Fixed by restricting allowed IP to my service provider domain which is
    >>>a severe clamp-down but no real problem for my usage.

    >>
    >>Criminals the world over are constantly trying to steal resources from
    >>VoIP systems. This is no surprise, and it would not surprise me if once
    >>they have access to your ATA, they can then extract the SIP account
    >>credentials and use it for their own uses.
    >>
    >>What I do find surprising is that your ATA is accessable from the public
    >>Internet - are you port-forwarding to it, or is it on a dedicated IP
    >>address?

    >
    > It's behind a home router with a private IP address :(
    >
    >
    >>If you don't need to port-forward to it, then don't...

    >
    > I don't...

    So, I'd be interested to know the mechanism of how this can be done when
    these is no port forwarding.

    Also, how do you restrict to just your ISP?
    Is this in your router or somewhere in the SPA?

    --
    Remove 'no_spam_' from email address.
    Running Linux Ubuntu 10.04 LTS (Long term Support). Very customisable,
    secure,not sluggish, and streets ahead of that other mainstream operating
    system. PAN newsreader has filters to get rid of spam.
    Brian A, Nov 9, 2010
    #4
  5. Koos van den Hout, Nov 9, 2010
    #5
  6. Mark

    Mark Guest

    On Tue, 09 Nov 2010 09:49:34 GMT, Brian A
    <> wrote:

    >On Tue, 09 Nov 2010 08:25:03 +0000, Mark wrote:
    >
    >> On Tue, 9 Nov 2010 08:17:51 +0000 (UTC), Gordon Henderson
    >> <> wrote:
    >>
    >>>In article <>, Mark
    >>><> wrote:
    >>>>Anyone else had an increasing number of SIP attacks on their ATA?
    >>>>
    >>>>Symptom was a series of reboots of my SPA3102 typically between 9pm
    >>>>and 11pm (I heard the PSTN relay clicking unexpectedly).
    >>>>
    >>>>Delving into the logs there were brute force SIP attacks followed by
    >>>>soft reboots on "out of memory" errors. It turns out this was
    >>>>happening several times per day.
    >>>>
    >>>>Fixed by restricting allowed IP to my service provider domain which is
    >>>>a severe clamp-down but no real problem for my usage.
    >>>
    >>>Criminals the world over are constantly trying to steal resources from
    >>>VoIP systems. This is no surprise, and it would not surprise me if once
    >>>they have access to your ATA, they can then extract the SIP account
    >>>credentials and use it for their own uses.
    >>>
    >>>What I do find surprising is that your ATA is accessable from the public
    >>>Internet - are you port-forwarding to it, or is it on a dedicated IP
    >>>address?

    >>
    >> It's behind a home router with a private IP address :(
    >>
    >>
    >>>If you don't need to port-forward to it, then don't...

    >>
    >> I don't...

    >So, I'd be interested to know the mechanism of how this can be done when
    >these is no port forwarding.


    Looking more deeply, the ALG (appl layer gateway) was enabled on the
    router - the router configuration was set with the SIP ALG enabled by
    default.

    I don't know if that was it, but it's now turned off. If I get time
    I'll check if that closes the hole in the firewall.

    >
    >Also, how do you restrict to just your ISP?
    >Is this in your router or somewhere in the SPA?


    SIP settings for "Line 1" and "User 1" and "PSTN Line" set to
    "Restrict Source IP" on ATA. See:

    http://forum.voxilla.com/cisco-link...m/restrict-source-ip-field-spa3000-16596.html

    (BTW, the link therein to the article by PhoneBoy is dead.)
    Mark, Nov 9, 2010
    #6
  7. Mark

    Graham. Guest


    > Looking more deeply, the ALG (appl layer gateway) was enabled on the
    > router - the router configuration was set with the SIP ALG enabled by
    > default.

    is dead.)

    Would that be a Netgear router?
    My understanding is the Netgear implementation of SIP ALG is fundamentally flawed, and it's best left disabled.
    Whether hackers can exploit the flaw as such, I have no idea.
    --
    Graham.

    %Profound_observation%
    Graham., Nov 9, 2010
    #7
  8. Mark

    Mark Guest

    On Tue, 9 Nov 2010 21:31:42 -0000, "Graham." <> wrote:

    >
    >> Looking more deeply, the ALG (appl layer gateway) was enabled on the
    >> router - the router configuration was set with the SIP ALG enabled by
    >> default.

    >is dead.)
    >
    >Would that be a Netgear router?


    No, it's a D-Link DIR655

    [snip]
    Mark, Nov 9, 2010
    #8
  9. Mark

    tg Guest

    I've been keeping tabs on my sip log too and I get loads of sniffing from
    sip vicious and also some arsehole called abdul and abdullah. Trying to stay
    one step ahead of these intruders is a chore.
    tg, Nov 14, 2010
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    6
    Views:
    2,196
    David Floyd
    Aug 11, 2005
  2. Brian A
    Replies:
    4
    Views:
    686
    PhilT
    May 19, 2006
  3. Replies:
    4
    Views:
    906
  4. Au79
    Replies:
    5
    Views:
    759
    Fuzzy Logic
    Mar 15, 2007
  5. benn
    Replies:
    15
    Views:
    2,093
    TheFug
    Aug 5, 2008
Loading...

Share This Page