[Freeswitch-users] SIP invalid call attempts from unknown dialer

D M debianmailz at gmail.com
Mon Nov 21 14:00:30 MSK 2011 

Hello,
I have noticed quite a few different attempts on accessing my freeswitch 
machine via SIP that does not come from the company. I have attached 
part of a log with such an attempt.

My main concern is ensuring that similar attempts will not be able to 
make external calls. I realize that any number made available externally 
will also be accessable via this method so my secondary concern is 
throttling or preventing these type of attempts to avoid autodialer spam.

This log repeats with around 12 call attempts per second for almost a 
minute times with different attempts on seemingly random numbers. There 
has been multiple different attempts to spam random numbers via SIP but 
so far none has been successful. This log is the most relevant since it 
made a single login attempt on an nonexistent user after which it has 
either successfully spoofed the ip of the freeswitch machine or used an 
vulnerability in either my config or freeswitch.

My config is the default freeswitch+fusionpbx installation on Ubuntu 
10.04.3 LTS with instructions from here 
(http://wiki.fusionpbx.com/index.php?title=Easy_Ubuntu_10.04&oldid=1574).
With a few minor configuration changes:
* Registering is done via external domain pointing to the freeswitch 
machine, NOT using the default port 5060
* Port 5060 is generally used for traffic with SIP provider that 
connects us to phone network but the port not firewalled/restricted in 
any other way

This is an example log of a single login attempt and single call 
attempt, the following modifications have been made:
* Freeswitch public ip has been changed to xx.xx.xx.xx
* 2 regexps have been changed from public telephone number to 
/^publicnumber$/ and /^publicnumber2$/
* A large list of regexps have been replaced with <!-- Cut out 
additional regex checks-->

Please let me know if you need any more details or longer logs

Thanks,
Daniel

##### LOG BEGIN #####

2011-11-18 15:27:33.293146 [WARNING] sofia_reg.c:2283 Can't find user 
[1010 at xx.xx.xx.xx]
You must define a domain called 'xx.xx.xx.xx' in your directory and add 
a user with the id="1010" attribute
and you must configure your device to use the proper domain in it's 
authentication credentials.
2011-11-18 15:27:36.633145 [NOTICE] switch_channel.c:897 New Channel 
sofia/external/1010 at xx.xx.xx.xx:5060 [75cf1808-11f1-11e1-9c95-494fea388543]
2011-11-18 15:27:36.633145 [DEBUG] sofia.c:5084 Channel 
sofia/external/1010 at xx.xx.xx.xx:5060 entering state [received][100]
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325 
(sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_NEW
2011-11-18 15:27:36.633145 [DEBUG] sofia.c:5095 Remote SDP:
v=0^M
o=1010 13216264671138 13216264671138 IN IP4 192.168.1.3^M
s=VaxSoft^M
c=IN IP4 192.168.1.3^M
t=0 0^M
m=audio 7000 RTP/AVP 0 8 3 98 101^M
a=rtpmap:0 PCMU/8000^M
a=rtpmap:8 PCMA/8000^M
a=rtpmap:3 GSM/8000^M
a=rtpmap:98 iLBC/8000^M
a=rtpmap:101 telephone-event/8000^M
a=fmtp:101 0-16^M

2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:343 
(sofia/external/1010 at xx.xx.xx.xx:5060) State NEW
2011-11-18 15:27:36.633145 [DEBUG] sofia_glue.c:4711 Audio Codec Compare 
[PCMU:0:8000:20:64000]/[PCMA:8:8000:20:64000]
2011-11-18 15:27:36.633145 [DEBUG] sofia_glue.c:4711 Audio Codec Compare 
[PCMA:8:8000:20:64000]/[PCMA:8:8000:20:64000]
2011-11-18 15:27:36.633145 [DEBUG] sofia_glue.c:2819 Set Codec 
sofia/external/1010 at xx.xx.xx.xx:5060 PCMA/8000 20 ms 160 samples 64000 bits
2011-11-18 15:27:36.633145 [DEBUG] sofia_glue.c:4825 Set 2833 dtmf 
send/recv payload to 101
2011-11-18 15:27:36.633145 [DEBUG] sofia.c:5284 
(sofia/external/1010 at xx.xx.xx.xx:5060) State Change CS_NEW -> CS_INIT
2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send 
signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325 
(sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_INIT
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:364 
(sofia/external/1010 at xx.xx.xx.xx:5060) State INIT
2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:85 
sofia/external/1010 at xx.xx.xx.xx:5060 SOFIA INIT
2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:125 
(sofia/external/1010 at xx.xx.xx.xx:5060) State Change CS_INIT -> CS_ROUTING
2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send 
signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:364 
(sofia/external/1010 at xx.xx.xx.xx:5060) State INIT going to sleep
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325 
(sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_ROUTING
2011-11-18 15:27:36.633145 [DEBUG] switch_channel.c:1821 
(sofia/external/1010 at xx.xx.xx.xx:5060) Callstate Change DOWN -> RINGING
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:373 
(sofia/external/1010 at xx.xx.xx.xx:5060) State ROUTING
2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:148 
sofia/external/1010 at xx.xx.xx.xx:5060 SOFIA ROUTING
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:77 
sofia/external/1010 at xx.xx.xx.xx:5060 Standard ROUTING
2011-11-18 15:27:36.633145 [INFO] mod_dialplan_xml.c:336 Processing 
MyName <1010>->972592182076 in context public
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing [public->unloop] 
continue=false
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (PASS) [unloop] 
${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL) [unloop] 
${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing 
[public->outside_call] continue=true
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Absolute Condition 
[outside_call]
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Action set(outside_call=true)
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Action 
set(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing 
[public->call_debug] continue=true
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL) [call_debug] 
${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing 
[public->public_extensions] continue=false
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL) 
[public_extensions] destination_number(972592182076) =~ 
/^(10[01][0-9])$/ break=on-false
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing [public->TEMP] 
continue=false
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (PASS) [TEMP] 
context(public) =~ /public/ break=on-false
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL) [TEMP] 
destination_number(972592182076) =~ /^publicnumber$/ break=on-false
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing 
[public->Misc_Number] continue=false
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (PASS) 
[Misc_Number] context(public) =~ /public/ break=on-false
Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL) 
[Misc_Number] destination_number(972592182076) =~ /^publicnumber2$/ 
break=on-false
<!-- Cut out additional regex checks-->
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:119 
(sofia/external/1010 at xx.xx.xx.xx:5060) State Change CS_ROUTING -> CS_EXECUTE
2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send 
signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:373 
(sofia/external/1010 at xx.xx.xx.xx:5060) State ROUTING going to sleep
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325 
(sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_EXECUTE
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:380 
(sofia/external/1010 at xx.xx.xx.xx:5060) State EXECUTE
2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:241 
sofia/external/1010 at xx.xx.xx.xx:5060 SOFIA EXECUTE
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:157 
sofia/external/1010 at xx.xx.xx.xx:5060 Standard EXECUTE
EXECUTE sofia/external/1010 at xx.xx.xx.xx:5060 set(outside_call=true)
2011-11-18 15:27:36.633145 [DEBUG] mod_dptools.c:1063 
sofia/external/1010 at xx.xx.xx.xx:5060 SET [outside_call]=[true]
EXECUTE sofia/external/1010 at xx.xx.xx.xx:5060 set(RFC2822_DATE=Fri, 18 
Nov 2011 15:27:36 +0100)
2011-11-18 15:27:36.633145 [DEBUG] mod_dptools.c:1063 
sofia/external/1010 at xx.xx.xx.xx:5060 SET [RFC2822_DATE]=[Fri, 18 Nov 
2011 15:27:36 +0100]
2011-11-18 15:27:36.633145 [NOTICE] switch_core_state_machine.c:189 
sofia/external/1010 at xx.xx.xx.xx:5060 has executed the last dialplan 
instruction, hanging up.
2011-11-18 15:27:36.633145 [DEBUG] switch_channel.c:2739 
(sofia/external/1010 at xx.xx.xx.xx:5060) Callstate Change RINGING -> HANGUP
2011-11-18 15:27:36.633145 [NOTICE] switch_core_state_machine.c:191 
Hangup sofia/external/1010 at xx.xx.xx.xx:5060 [CS_EXECUTE] [NORMAL_CLEARING]
2011-11-18 15:27:36.633145 [DEBUG] switch_channel.c:2755 Send signal 
sofia/external/1010 at xx.xx.xx.xx:5060 [KILL]
2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send 
signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:380 
(sofia/external/1010 at xx.xx.xx.xx:5060) State EXECUTE going to sleep
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325 
(sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_HANGUP
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:575 
(sofia/external/1010 at xx.xx.xx.xx:5060) State HANGUP
2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:458 Channel 
sofia/external/1010 at xx.xx.xx.xx:5060 hanging up, cause: NORMAL_CLEARING
2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:522 Responding to INVITE 
with: 480
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:46 
sofia/external/1010 at xx.xx.xx.xx:5060 Standard HANGUP, cause: NORMAL_CLEARING
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:575 
(sofia/external/1010 at xx.xx.xx.xx:5060) State HANGUP going to sleep
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:356 
(sofia/external/1010 at xx.xx.xx.xx:5060) State Change CS_HANGUP -> 
CS_REPORTING
2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send 
signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325 
(sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_REPORTING
2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:635 
(sofia/external/1010 at xx.xx.xx.xx:5060) State REPORTING

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list