[WXC/VFX] Locking down SIP traffic

Forums › One New Zealand (including Vodafone, WxC, Farmside) › [WXC/VFX] Locking down SIP traffic

1 | 2 | 3 | 4

266 posts

Ultimate Geek

#1079113 3-Jul-2014 09:01

can you install iftop on the box ? it may help you see what is generating the traffic.

http://www.ex-parrot.com/pdw/iftop/

GoodSync

GoodSync. Easily back up and sync your files with GoodSync. Simple and secure file backup and synchronisation software will ensure that your files are never lost (affiliate link).

gchiu

1211 posts

Uber Geek

Trusted

#1079123 3-Jul-2014 09:07

I can try.

I had 17Mb of traffic on my fusion account overnight even though I have disabled the truenet probe ( no checking ) so have no idea of what is consuming traffic.

But it has changed. Before it was upload = 1/2 the downloads, and today, upload = 10x downloads.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1079129 3-Jul-2014 09:13

What other ports are open? 10x sounds like a DNS or NTP amplification attack.

gchiu

1211 posts

Uber Geek

Trusted

#1079199 3-Jul-2014 10:20

I ran iftop and got the above ... that 62.210.187.134 is in my iptables as being blocked so not sure why it is still showing traffic.

I don't recall as having opened any other ports apart from 5060 but could try an external port probe to see what's open.

grudge

266 posts

Ultimate Geek

#1079201 3-Jul-2014 10:25

Now try a tcpdump for that host only and see if you can decipher what the traffic is

tcpdump -i eth0 -nnnvvvSs 0 host 62.210.187.134

gchiu

1211 posts

Uber Geek

Trusted

#1079208 3-Jul-2014 10:34

Will try that now.

It has been suggested to me that part of my outgoing traffic use is repeated playing of the

'ss-noservice.gsm`

message to anonymous sip calls

grudge

266 posts

Ultimate Geek

#1079214 3-Jul-2014 10:42

Does that mean that you are playing an IVR ? That would actually explain the upload data only

EDIT: Yeah i found that file online and listened to it. It's an IVR saying "the number you had dialed is not in service, please check the number and try again".
If possible, i'd rather change that behavior to sending your SIP gateway a sip message like "404 Not Found" instead and let them play the IVR to the far end instead.

gchiu

1211 posts

Uber Geek

Trusted

#1079231 3-Jul-2014 10:48

10:34:54.808523 IP (tos 0x60, ttl 64, id 20697, offset 0, flags [none], proto UD
P (17), length 849)
192.168.1.180.5060 > 62.210.187.134.5080: [bad udp cksum 353!] SIP, length:
821
SIP/2.0 200 OK
Via: SIP/2.0/UDP 62.210.187.134:5080;branch=z9hG4bK-f5aed191fbc505051c48
f6f184923a21;received=62.210.187.134;rport=5080
From: 10001<sip:10001@58.28.152.22>;tag=25a31a60
To: 9060972595561294<sip:9060972595561294@58.28.152.22>;tag=as1a8156c8
Call-ID: f5aed191fbc505051c48f6f184923a21
CSeq: 1 INVITE
Server: FPBX-2.9.0(1.8.8.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
, PUBLISH
Supported: replaces, timer
Contact: <sip:9060972595561294@58.28.152.22:5060>
Content-Type: application/sdp
Content-Length: 258

v=0
o=root 214277164 214277164 IN IP4 58.28.152.22
s=Asterisk PBX 1.8.8.0
c=IN IP4 58.28.152.22
t=0 0
m=audio 11404 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv

That's a sample of what I get from tcpdump

gchiu

1211 posts

Uber Geek

Trusted

#1079235 3-Jul-2014 10:52

From: 10001<sip:10001@58.28.152.22>;tag=25a31a60
To: 9060972595561294<sip:9060972595561294@58.28.152.22>;tag=as1a8156c8

So, I don't understand why I see a WXC ip in this anonymous SIP call from France or where ever?
Or am I reading this all wrong?

grudge

266 posts

Ultimate Geek

#1079237 3-Jul-2014 10:56

That is your external IP, these calls are not being handled by the WXC SIP Gateway (pan.wxnz.net) and are being placed directly to your Asterisk box which is playing back the .gsm audio file.

So I would go back to step1, try and block access to your PBX from all other ip addresses than the SIP gateway so that they cannot place these calls directly to your PBX.

gchiu

1211 posts

Uber Geek

Trusted

#1079238 3-Jul-2014 10:57

Here's the first message from tcpdump:

10:38:59.926315 IP (tos 0x0, ttl 111, id 29952, offset 0, flags [none], proto UDP (17), length 795)
62.210.187.134.5070 > 192.168.1.180.5060: [udp sum ok] SIP, length: 767
INVITE sip:90060972595561294@58.28.152.22 SIP/2.0
To: 90060972595561294<sip:90060972595561294@58.28.152.22>
From: 10001<sip:10001@58.28.152.22>;tag=57da019d
Via: SIP/2.0/UDP 62.210.187.134:5070;branch=z9hG4bK-69ca466cab181a1529d61d41f5ac747f;rport
Call-ID: 69ca466cab181a1529d61d41f5ac747f
CSeq: 1 INVITE
Contact: <sip:10001@62.210.187.134:5070>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 284

v=0
o=sipcli-Session 1617787993 291094220 IN IP4 62.210.187.134
s=sipcli
c=IN IP4 62.210.187.134
t=0 0
m=audio 5072 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv

gchiu

1211 posts

Uber Geek

Trusted

#1079241 3-Jul-2014 11:01

Ok, so I need to prevent this traffic at the ADSL modem/router level so it doesn't reach the Asterisk box.

Blocking the address at iptables for whatever reason is not working.

gchiu

1211 posts

Uber Geek

Trusted

#1079261 3-Jul-2014 11:26

Do NZ ISPs block traffic from malicious addresses as they used to do in the past?

http://www.blocklist.de/en/view.html?ip=62.210.187.134

grudge

266 posts

Ultimate Geek

#1079304 3-Jul-2014 12:29

I don't think that's going to solve the issue, you'll have the same problem next time with another IP address.
Have a look at the webinar posted in this thread as it may give you some extra ideas :)

http://www.geekzone.co.nz/forums.asp?forumid=65&topicid=65912

Also, according to this page fail2ban isn't that reliable for Asterisk

http://forums.asterisk.org/viewtopic.php?p=159984

gchiu

1211 posts

Uber Geek

Trusted

#1079325 3-Jul-2014 13:20

I found this in my iptables

28 ACCEPT udp -- anywhere anywhere udp dpts:commplex-main:qcp

which I thought I removed last night, but it's back again. So, I've removed it again and saved iptables.
I've added explicit ACCEPTs for my VOIP providers, lan and vpn addresses.

1 | 2 | 3 | 4