[clug] Question about SIP messages
Eyal Lebedinsky
eyal at eyal.emu.id.au
Mon Aug 8 07:33:14 UTC 2016
Hi Adam,
On 08/08/16 16:55, Adam Baxter wrote:
> On 20 May 2016 11:46 PM, "Eyal Lebedinsky" <eyal at eyal.emu.id.au> wrote:
>>
>> I have an ADSL modem/router that also provides VOIP. Call it 5.
>> Due to some ADSL sync problems I changed the setup to include a separate
> ADSL modem.
>> This one is actually also an ADSL modem/router. call it 55.
>>
>> Both are configured to remote log to my main server.
>>
>> I should say that I am not that familiar with SIP and the rest of the
> telephony protocols,
>> but this just caught my eye.
>>
>> On checking the logs, looking for dropped ADSL line messages, I noticed
> that .55 now
>> reports this:
>> syslog: proxy.c:211 INFO:Outgoing Call from:
> 026xxxxxxx at 192.168.2.5
>> which I think coincides with me making calls (using VOIP on 5). It lists
> my VOIP number.
>>
>> Most of these messages are identical, but not all, I noticed a few
> unusual ones
>> syslog: proxy.c:211 INFO:Outgoing Call from: 8001 at 209.126.120.60
>> syslog: proxy.c:211 INFO:Outgoing Call from: 7001 at 185.40.4.70
>> syslog: proxy.c:211 INFO:Outgoing Call from: 8001 at 209.126.120.60
>>
>> I just made a call and got another
>> syslog: proxy.c:211 INFO:Outgoing Call from: 8001 at 209.126.120.60
>> when the call was of course again from my own VOIP line.
>>
>> What do these messages mean? Some are not coincident with any of my
> actual calls.
>> Maybe some in-band protocol messages? Maybe a proxy is confused on 55?
>> Probably just me not understanding the protocol.
>
> Hi Eyal,
> Are you still getting these messages in the logs?
I do not know. The reason I saw these is that I had two modems installed temporarily.
VOIP was handled by my modem (5) but ADSL was handled by a loaner (55). It is the loaner
that logged these messages. My modem does not show these.
> Was your VoIP bill for the last few months normal?
Nothing unusual in my bills so this is one worry less. It was my first suspicion so
I checked my call log (online on my ISP, iinet) and nothing showed up.
> I think there's two separate things going on.
>
> The outgoing call that you made for testing was probably rewritten by the
> modem (look for a setting called SIP ALG). This is especially important for
> SIP clients that don't support NAT properly - anything Android based falls
> into this category, at least when I was testing it they were all based on
> the same PJSIP stack.
>
> If you do the test again and the outgoing call shows *your external IP*
> then it was rewritten on your behalf.
>
> The other IPs? There are bots that scan the IPv4 net (I've heard that can
> be done in 40 minutes these days) and try to call premium rate numbers to
> make some cash.
I suspected that these are scans, and maybe they are looking for vulnerable modems
that will allow them to make calls. I know that this happened once to our office
phone service (many years ago).
> --Adam
cheers
--
Eyal Lebedinsky (eyal at eyal.emu.id.au)
More information about the linux
mailing list