Asterisk ghost calls

Question

Problem

We have an Asterisk server hosted externally. On four locations we've gotten ghost calls. These are calls with different numbers like 1000, 9999 or 6060. We don't use these numbers, not even that range.

NB: I've asked a question about this before, but that didn't result in a solution.

A while ago one phone (123) had this problem. This phone was used at home by an employer. I ordered it back, and gave the employer a new phone with a new number (124). I connected the 123-phone in my office, and never had a problem. The 124-phone started to have problems after several weeks, so not right away.

To me this seems like a problem that originates in the home network of the employee.

• We've had this problem in three different homes.
• All these users have routers at home, so the phones are not connected to the internet directly.
• We don't get this problem at the office, I suppose we have better protection there.
• The problems don't stay forever. They come and go, then come back.

I've looked in the Asterisk logs several times, but couldn't find anything related.

Questions

I would like to know how this works.

• Do these calls originate from the home LAN of these employers?
• Does the Asterisk server play a role here?
• What can cause this? Is this malware on a laptop?
• Is it some harmeless process that connects to this phone and causes the phone to think a call is made?

And of course:

• How can we get rid of these calls?

Answer 1

It's a brute force, asterisk servers always get that kinda thing if connected to the public IP.

My solutions are :

• Install fail2ban, fail2ban will set the iptables and reject ip with continous fail attempts to the asterisk
• Disable guest sip login, put allowguest=no in the sip.conf
• In case if you're using VPN, set the from sip external in your PBX
• Set the [default] context to empty.

Answer 2

This happens due to automated scanners, which probably are trying to bruteforce your passwords.

To get rid of such calls, you should disable anonymous users by placing the following options into the [general] section of your sip.conf

[general]
context=bogus
allowguest=no
alwaysauthreject=yes

Answer 3

As you stated this is an issue with home/remote users primarily it is most likely they you would see two things. 1- This SIP invite they receives has nothing to do with you Asterisk server. I've seen the source IP be an unknown server, as well as the users own home public IP. 2- If the user picks up they will report hearing dead air.

I seen this mostly with users using SIP softphone clients, making it easier to collect SIP messages, and some low end IP-phones. Some IP phones include a check on the incoming SIP invite to confirm the request is from the same IP as the SIP registration. If the invite fails this check the device does not respond to an invalid invite.

I failed to bookmark a blog post I found where they posted several IPs of SIP scanners they found. However most home users do not have a network capable of blacklisting the IPs from list. If you do not have some fail2ban system on you asterisk server you should add that. You should also make sure your SIP credentials do not include the ISDN number of the user.

YOUR QUESTIONS:

1. Do these calls originate from the home LAN of these employers? Most likely they are not, although the SIP message may indicate this. I guess there is a small chance that a infected hardware on their network could be trying to generate this, but more likely its just a bot scanning all public IPs.

2. Does the Asterisk server play a role here? Your Asterisk server is most likely no generating these phantom calls. You should be able to look though your logs and confirm it is not.

3. What can cause this? Is this malware on a laptop? Most likely a bot trying public IPs. Un-likely malware is the issue but though experience soft-phones are more likely to handle phantom SIP invites differently then IP-phones.

4. Is it some harmeless process that connects to this phone and causes the phone to think a call is made? Usually this is more annoying then harmful. If you find the same thing happening on your Asterisk server you need to harden your server. A invite to a end user device would be harder to find a way to bill the user for service, although there has to be some reason why someone is spanning for these services to begin with.

Answer 4

Answers to your 5 specific questions:

1. Q: Do these calls originate from the home LAN of these employers? A: No - they originate from scanners worldwide. Africa, Palestine, and Russia are some of the most common sources. (So a SIP security device which blocks based on Geofencing would help).
2. Q: Does the Asterisk server play a role here? A: Yes - the scanners are targeting the SIP port of your Asterisk server. (So a SIP security device which detects bad packet structure, attempts to register with invalid credentials, attempts to dial with suspicious frequency, etc. would help).
3. Q: What can cause this? Is this malware on a laptop? A: No - this is SIP scanners and hacking tools run remotely with the intention of finding weaknesses in your SIP stack, web GUI of the phone, weak passwords, etc. (So a SIP security system which recognizes the patterns of these hacking tools would help).
4. Q: Is it some harmeless process that connects to this phone and causes the phone to think a call is made? A: No - but be aware that hackers ARE trying to extract valid credentials from phones and then use these to commit toll fraud. (So a SIP security system which detects stolen credentials would help).
5. Q: How can we get rid of these calls? A: A good SIP security system. Simple tools like fail2ban miss most of the attacks mentioned above (and that's why Digium recommends NOT using fail2ban as a security system).

Note as well that Digium warns users not to use it as such (see this wiki page).

Have a read of this wiki page which introduces how to secure your Asterisk installation. A real SIP security system is different from a firewall, and different from fail2ban. Furthermore, a SIP security system should be used in addition to basic security measures of your PBX.

Answer 5

If this issue is only at the home location, I would look at what is the difference between your office location and the home locations. I think it would be ghost calls at the office location and home locations if there is something with the asterisk server/internet connection for it.

I think there might be a combinations of the phone and the home location. I dont know what kind of phone you are using, but you should in someway make sure you disable anonymous inbounds calls on the phones. If this is the issue, then you should also check if the phones are connected with a public IP or the router is setup to forward port 5060 to the SIP phone (this is often done to "solve" audio issues)

If you have a sip client/server connected with a public ip on port 5060 you will get a lot of connection attempts/ghost calls from people trying to use your credit to route their SIP calls (we had a customer experience this, he's asterisk got used by a phone company and they routed phone calls to cuba during some hours during a weekend and that customers lost until he's account was shut down. He lost around $50k)

If you can avoid using port 5060, you should consider changing your sip port.

Answer 6

Most likely the IP phone doesn't check the source of the incoming invites. This can be enabled on most IP phones and I suggest using call-by-call authentication along with registration.