Link to home
Create AccountLog in
Avatar of Silas2

asked on

SIP Phone strange incoming call problem

Can anyone explain this most strange phenomena:
I have a laptop behind a router which has no firewall enabled and a fixed IP address.  On the laptop I have a sip phone which is registered with a sip provider.
I suddenly got a load of incoming calls which seem to be coming straight through the fixed IP address and not from my sip provider.  They seem to be automated and to be some sort of attack.
I have two questions.  Firstly, when a sip phone is registered with a sip provider can it still be contacted directly through the network?
Second, if this was indeed some sort of attempt at an exploit, what could they possibly gain from it?
Avatar of ReneGe
Flag of Canada image

Hi there.

Q: Firstly, when a sip phone is registered with a sip provider can it still be contacted directly through the network?
A: Well if you have opened a port on your router so you SIP provider can reach you phone? Yes anyone can reach you phone.  You will need to setup a firewall rule.

Q: Second, if this was indeed some sort of attempt at an exploit, what could they possibly gain from it?
A: People have a lot of reasons to hack into others lives.  In this case, I ofen seen people trying to access SIP servers to get free calls.

Hoping that helps.

Avatar of José Méndez
José Méndez

ry digging through the SIP Phones log files. If it has, most likely you will see the source IP address of the calls to have a better idea what is happening. You will see something like

INVITE sip:bob@ SIP/2.0
To: Bob <>
From: Alice <>;tag=1928301774
Avatar of Silas2


I don't think there are any log files extant. I'll know for next time to get Wireshark on it, unless you can think sip logging happened somewhere???
Regards what they can get out of it, I'm just trying to devine what security breach would lure professional exploiters to bother. if its just kids playing it doesn't matter.
This is a bit of a DMZ so no-firewall is deliberate, and there's nothing on the network that matters, I'm just puzzling over why??? Are they lining up for a denial of service attack maybe?
Avatar of José Méndez
José Méndez

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
You could also change your SIP port (If you can).
What SIP phone are you using?
Avatar of Silas2


To be honest, I'm not particularly worried unless i knew there was a serious benefit a sip exploit (to the exploiter) might have.
To complicate things, I'm installing sip phones on remote clients, so its not this one instance.

Even if I changed the sip port, a port sniffer would find the new one pretty quick wouldn't it?
Yes to your last question.

If I were getting random incoming calls I would be worried. Period. I would want to know whats going on that network. However, this is my network admin way of thinking. If you are a user of that network curious about it and don't mind whats happening too much, then, you may want to drop it. Again, I would collect more info.
Avatar of Silas2


I know I keep going on about it, but if I knew what possible gain there could be it would give me some idea of what protective measures to take.
Avatar of Silas2


I was sitting next to my Asterisk box one time watching the CLI when a stream of SIP login attempts came in from the Philpines, my only guess was that they were trying to access a sip provider thru asterisk and make premium rate calls- which is more understandable. Unless by poking into a registered SIP UA they can somehow get to the sip provider but I can't see how?? Can you?
they try exploiting weakly configured pbxs. Its like a brute force routing attack. they try random call flows that people use to configure, for example they try registering as peer 1000 or 100 which is pretty common

From there, they try calls to patterns commonly used for outside LD, local, or International numbers.
Avatar of Silas2


Yes, quite, a PBX, i would have some understanding, but why a SIP UA, how could that be vunerable as well?
calls to your extension may be forwarded outside, gaining access to an outside call
Avatar of Silas2


I'm just trying to think how a call from the network into a SIP UA could find their way back to the SIP provider...