Author Topic: Phantom calls  (Read 406 times)

mbrenneman

  • Full Member
  • ***
  • Posts: 152
    • View Profile
    • Email
Phantom calls
« on: May 19, 2017, 10:01:59 AM »
Good afternoon, all.

New one, for me anyway.

This system has been installed for about 5 months.  Two locations, UCM is at primary location, four phones at secondary location connect by regular internet (not VPN.)  Last night one of the phones at the remote location began ringing randomly, caller ID says "Test" or "Trunk."  It's happening every couple of minutes. 

Here's what I did so far:

Rebooted the phone.
Rebooted the UCM
Turned "allow IP calls" off on the Yealink T26 phone

I'm working on a PCAP on the phone right now, will post when available.

Thanks in advance.

Mike

mbrenneman

  • Full Member
  • ***
  • Posts: 152
    • View Profile
    • Email
Re: Phantom calls
« Reply #1 on: May 19, 2017, 10:07:33 AM »
Here's the PCAP from the phone.

mbrenneman

  • Full Member
  • ***
  • Posts: 152
    • View Profile
    • Email
Re: Phantom calls
« Reply #2 on: May 19, 2017, 11:07:27 AM »
I found it.

Since I'm registering the remote phones via IP, the remote router is port forwarding 5061, 5062, etc. to unique phones.

Some bot found a response on port 5061 at the remote location's IP address.  The requests were rejected, but the bot kept sending requests, triggering the phone to ring.  So I blocked the offending IP address, but that's probably a short-term fix.

After hours I'm going to have to come up with a more comprehensive solution.

Mike

lpneblett

  • Beta Club Members
  • Hero Member
  • *
  • Posts: 1385
    • View Profile
    • N2 Tech
    • Email
Re: Phantom calls
« Reply #3 on: May 19, 2017, 11:58:19 AM »
Look in the phone interface, Most will have some type of setting by  which you can set the phone to reject INVITES unless from a known source. In the case of GS phones, it is usually labeled as "Only Accept SIP Requests from Known Servers :".

mbrenneman

  • Full Member
  • ***
  • Posts: 152
    • View Profile
    • Email
Re: Phantom calls
« Reply #4 on: May 19, 2017, 12:32:04 PM »
Thanks.  There is an "accept invites from trusted server only" setting, but it's unclear how to establish a list of trusted servers on the Yealink T26.

Further, the primary site where the UCM lives does not have a static IP. 

I think my best bet is going to be to write a series of rules allowing SIP traffic only from a range of known Comcast IP addresses here locally.

ayaggie

  • Full Member
  • ***
  • Posts: 114
    • View Profile
    • Email
Re: Phantom calls
« Reply #5 on: May 19, 2017, 08:49:22 PM »
Have you considered setting up a VPN tunnel?  You can pick up something as inexpensive as a Ubiquiti Edgerouter X for about 50$ each and create a VPN tunnel using IPSEC very easily.  The router's support FQDN as well, so there should be no problems not having a static IP.

I was working at setting up a remote phone from our offices in my home and was thinking of setting up how you describe and decided it just wasn't worth the risk given the ease and security of a VPN.

Good luck.

mbrenneman

  • Full Member
  • ***
  • Posts: 152
    • View Profile
    • Email
Re: Phantom calls
« Reply #6 on: May 20, 2017, 02:18:51 AM »
Great suggestion.  You are of course correct, that is "the right way" to do it.  It's a little outside of my experience, but I'm sure I could figure it out.  The fire is out for now, but when I get a little time to breathe I'm going to look into setting that up.

Mike

lpneblett

  • Beta Club Members
  • Hero Member
  • *
  • Posts: 1385
    • View Profile
    • N2 Tech
    • Email
Re: Phantom calls
« Reply #7 on: May 20, 2017, 04:55:24 AM »
The trusted source(s) are the SIP servers set up in the accounts. Sounds like Yealink. It works as well.


mbrenneman

  • Full Member
  • ***
  • Posts: 152
    • View Profile
    • Email
Re: Phantom calls
« Reply #8 on: May 20, 2017, 05:11:03 AM »
Right!  Makes total sense.

I'll try that.  Thank you so much!

Mike