[clug] Question about SIP messages

Adam Baxter voltagex at voltagex.org
Mon Aug 8 06:55:13 UTC 2016 

On 20 May 2016 11:46 PM, "Eyal Lebedinsky" <eyal at eyal.emu.id.au> wrote:
>
> I have an ADSL modem/router that also provides VOIP. Call it 5.
> Due to some ADSL sync problems I changed the setup to include a separate
ADSL modem.
> This one is actually also an ADSL modem/router. call it 55.
>
> Both are configured to remote log to my main server.
>
> I should say that I am not that familiar with SIP and the rest of the
telephony protocols,
> but this just caught my eye.
>
> On checking the logs, looking for dropped ADSL line messages, I noticed
that .55 now
> reports this:
>         syslog: proxy.c:211 INFO:Outgoing Call from:
026xxxxxxx at 192.168.2.5
> which I think coincides with me making calls (using VOIP on 5). It lists
my VOIP number.
>
> Most of these messages are identical, but not all, I noticed a few
unusual ones
>         syslog: proxy.c:211 INFO:Outgoing Call from: 8001 at 209.126.120.60
>         syslog: proxy.c:211 INFO:Outgoing Call from: 7001 at 185.40.4.70
>         syslog: proxy.c:211 INFO:Outgoing Call from: 8001 at 209.126.120.60
>
> I just made a call and got another
>         syslog: proxy.c:211 INFO:Outgoing Call from: 8001 at 209.126.120.60
> when the call was of course again from my own VOIP line.
>
> What do these messages mean? Some are not coincident with any of my
actual calls.
> Maybe some in-band protocol messages? Maybe a proxy is confused on 55?
> Probably just me not understanding the protocol.

Hi Eyal,
Are you still getting these messages in the logs? Was your VoIP bill for
the last few months normal?

I think there's two separate things going on.

The outgoing call that you made for testing was probably rewritten by the
modem (look for a setting called SIP ALG). This is especially important for
SIP clients that don't support NAT properly - anything Android based falls
into this category, at least when I was testing it they were all based on
the same PJSIP stack.

If you do the test again and the outgoing call shows *your external IP*
then it was rewritten on your behalf.

The other IPs? There are bots that scan the IPv4 net (I've heard that can
be done in 40 minutes these days) and try to call premium rate numbers to
make some cash.

--Adam

More information about the linux mailing list