Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
266 posts

Ultimate Geek
+1 received by user: 26


  Reply # 1079113 3-Jul-2014 09:01
Send private message

can you install iftop on the box ? it may help you see what is generating the traffic.


http://www.ex-parrot.com/pdw/iftop/



730 posts

Ultimate Geek
+1 received by user: 13


  Reply # 1079123 3-Jul-2014 09:07
Send private message

I can try.

I had 17Mb of traffic on my fusion account overnight even though I have disabled the truenet probe ( no checking ) so have no idea of what is consuming traffic.

But it has changed.  Before it was upload = 1/2 the downloads, and today, upload = 10x downloads.


 
 
 
 


27270 posts

Uber Geek
+1 received by user: 6699

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1079129 3-Jul-2014 09:13
Send private message

What other ports are open? 10x sounds like a DNS or NTP amplification attack.





730 posts

Ultimate Geek
+1 received by user: 13


  Reply # 1079199 3-Jul-2014 10:20
Send private message



I ran iftop and got the above ... that 62.210.187.134 is in my iptables as being blocked so not sure why it is still showing traffic.

I don't recall as having opened any other ports apart from 5060 but could try an external port probe to see what's open.



266 posts

Ultimate Geek
+1 received by user: 26


  Reply # 1079201 3-Jul-2014 10:25
Send private message

Now try a tcpdump for that host only and see if you can decipher what the traffic is

tcpdump -i eth0 -nnnvvvSs 0 host 62.210.187.134



730 posts

Ultimate Geek
+1 received by user: 13


  Reply # 1079208 3-Jul-2014 10:34
Send private message

Will try that now.

It has been suggested to me that part of my outgoing traffic use is repeated playing of the 

 

'ss-noservice.gsm`

message to anonymous sip calls

266 posts

Ultimate Geek
+1 received by user: 26


  Reply # 1079214 3-Jul-2014 10:42
Send private message

Does that mean that you are playing an IVR ? That would actually explain the upload data only

EDIT: Yeah i found that file online and listened to it. It's an IVR saying "the number you had dialed is not in service, please check the number and try again".
If possible, i'd rather change that behavior to sending your SIP gateway a sip message like "404 Not Found" instead and let them play the IVR to the far end instead.



730 posts

Ultimate Geek
+1 received by user: 13


  Reply # 1079231 3-Jul-2014 10:48
Send private message

10:34:54.808523 IP (tos 0x60, ttl 64, id 20697, offset 0, flags [none], proto UD
P (17), length 849)
192.168.1.180.5060 > 62.210.187.134.5080: [bad udp cksum 353!] SIP, length:
821
SIP/2.0 200 OK
Via: SIP/2.0/UDP 62.210.187.134:5080;branch=z9hG4bK-f5aed191fbc505051c48
f6f184923a21;received=62.210.187.134;rport=5080
From: 10001<sip:10001@58.28.152.22>;tag=25a31a60
To: 9060972595561294<sip:9060972595561294@58.28.152.22>;tag=as1a8156c8
Call-ID: f5aed191fbc505051c48f6f184923a21
CSeq: 1 INVITE
Server: FPBX-2.9.0(1.8.8.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
, PUBLISH
Supported: replaces, timer
Contact: <sip:9060972595561294@58.28.152.22:5060>
Content-Type: application/sdp
Content-Length: 258

v=0
o=root 214277164 214277164 IN IP4 58.28.152.22
s=Asterisk PBX 1.8.8.0
c=IN IP4 58.28.152.22
t=0 0
m=audio 11404 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv

That's a sample of what I get from tcpdump



730 posts

Ultimate Geek
+1 received by user: 13


  Reply # 1079235 3-Jul-2014 10:52
Send private message

From: 10001<sip:10001@58.28.152.22>;tag=25a31a60
To: 9060972595561294<sip:9060972595561294@58.28.152.22>;tag=as1a8156c8

So, I don't understand why I see a WXC ip in this anonymous SIP call from France or where ever?
Or am I reading this all wrong?



266 posts

Ultimate Geek
+1 received by user: 26


  Reply # 1079237 3-Jul-2014 10:56
Send private message

That is your external IP, these calls are not being handled by the WXC SIP Gateway (pan.wxnz.net) and are being placed directly to your Asterisk box which is playing back the .gsm audio file.

So I would go back to step1, try and block access to your PBX from all other ip addresses than the SIP gateway so that they cannot place these calls directly to your PBX.



730 posts

Ultimate Geek
+1 received by user: 13


  Reply # 1079238 3-Jul-2014 10:57
Send private message

Here's the first message from tcpdump:

10:38:59.926315 IP (tos 0x0, ttl 111, id 29952, offset 0, flags [none], proto UDP (17), length 795)
62.210.187.134.5070 > 192.168.1.180.5060: [udp sum ok] SIP, length: 767
INVITE sip:90060972595561294@58.28.152.22 SIP/2.0
To: 90060972595561294<sip:90060972595561294@58.28.152.22>
From: 10001<sip:10001@58.28.152.22>;tag=57da019d
Via: SIP/2.0/UDP 62.210.187.134:5070;branch=z9hG4bK-69ca466cab181a1529d61d41f5ac747f;rport
Call-ID: 69ca466cab181a1529d61d41f5ac747f
CSeq: 1 INVITE
Contact: <sip:10001@62.210.187.134:5070>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 284

v=0
o=sipcli-Session 1617787993 291094220 IN IP4 62.210.187.134
s=sipcli
c=IN IP4 62.210.187.134
t=0 0
m=audio 5072 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv



730 posts

Ultimate Geek
+1 received by user: 13


  Reply # 1079241 3-Jul-2014 11:01
Send private message

Ok, so I need to prevent this traffic at the ADSL modem/router level so it doesn't reach the Asterisk box.

Blocking the address at iptables for whatever reason is not working.




730 posts

Ultimate Geek
+1 received by user: 13


  Reply # 1079261 3-Jul-2014 11:26
Send private message

Do NZ ISPs block traffic from malicious addresses as they used to do in the past?

http://www.blocklist.de/en/view.html?ip=62.210.187.134

266 posts

Ultimate Geek
+1 received by user: 26


  Reply # 1079304 3-Jul-2014 12:29
Send private message

I don't think that's going to solve the issue, you'll have the same problem next time with another IP address.
Have a look at the webinar posted in this thread as it may give you some extra ideas :)

http://www.geekzone.co.nz/forums.asp?forumid=65&topicid=65912


A
lso, according to this page fail2ban isn't that reliable for Asterisk

http://forums.asterisk.org/viewtopic.php?p=159984



730 posts

Ultimate Geek
+1 received by user: 13


  Reply # 1079325 3-Jul-2014 13:20
Send private message

I found this in my iptables

28 ACCEPT udp -- anywhere anywhere udp dpts:commplex-main:qcp

which I thought I removed last night, but it's back again. So, I've removed it again and saved iptables.
I've added explicit ACCEPTs for my VOIP providers, lan and vpn addresses.





1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.