I seem to get getting alot of ramdom SIP calls from asterisk@(different IP addresses)
I cant call them back. They stay connected until i notice and hang up. It is annoying when they call during a session.
The SIP spam call is a know issue that happens to all brands of video conference endpoint. It is caused by bots (http://en.wikipedia.org/wiki/Internet_bot) that keep calling devices on public internet using the SIP protocol. Please refer to http://www.lifesize.com/en/support/software-download
Mitigating H.323/SIP Attacks (November 2014)
There are reports of automated bots making H.323/SIP attacks on video systems, from all manufacturers, across the Internet. The observed behavior is a rapid succession of calls received to the video system. To protect your video systems from these attacks we recommend that they be deployed on a private IP and registered to either Lifesize Cloud or Lifesize UVC ClearSea. Video systems that are deployed in this fashion have not been affected by these attacks.
At this point, none of the vendors has a complete fix for this. Blocking the list of IP Address that send the spam call is limited as the spam can come from so many source out there on the internet. The best solution is to deploy the endpoints in the private LAN and hide your endpoints behind a ClearSea server. When done this way, there is no spam call attack seen.
But if you must have a public IP, then the minimum is:
- change all passwords (admin, support, ssh...)
- disable SSH
- disable SIP if you can, more difficult for H323 (but does happen as with recent "cisco" h.323 spam call)
- disable auto-answer
- if your endpoint is configured to place audio calls (via PSTN, ISDN or IPBX), then make sure the prefix used to place such calls is not obvious (ex. 00 or 9..). The attacking robots try many common prefixes to see if they can place a phone call to a premium rate number abroad.
- turn on Do-Not-Disturb if the end-point is not in use.
If it's just a few IP addresses (or within a range) that it's coming from, you could always block those IPs from accessing your codecs IP through your firewall. If they're addresses that you don't call or get calls from legitimately, that shouldn't have any impact on your systems connectivity and would stop the calls, obviously.
I too have been spammed in the past, and like Jon it seemed to last a day or two and then stopped.
i have made an protecting device that stops the spam.
As those scanners have an "fingerprint" you can stop the call setup on Port 1720 and 5060.
what I did is made an Bridged firewall device that has some rules that successful stop those scanners.
because its an bridge no configuration is needed. only put the box in front of your device and apply power.
have tested the boxes for some months now and already some customers are equiped with the devices.
some even in front of there MCU.
find info here: XperTeam B.V. - Jan 2015 - Bridged Scanner Filter
Would you care to share detailed information about how you built the fingerprint?
H323 scanners use an tool called ooH323 and is precompiled.In the callsetup there is an field in the protocol called Vendor:
there tool uses "ooH323" see below.
If you look in the packets
So during call setup tcp port 1720 from any adress scan the payload for "ooh323" and or even thereManufacturer id: 0xb8000027
if you have an match drop the packet or reset the connection.
Let me know if you can do it.
Sorry this is h323 info
But almost the same for the sip stuff.
There they use SIPCLI tools.
and during callsetup scan the packet for "sipcli/v"
0000 55 73 65 72 2d 41 67 65 6e 74 3a 20 73 69 70 63 User-Agent: sipc
0010 6c 69 2f 76 32 2e 35 0d 0a li/v2.5..
Retrieving data ...