[clug] Question about SIP messages

Eyal Lebedinsky eyal at eyal.emu.id.au
Mon Aug 8 07:33:14 UTC 2016

Hi Adam,

On 08/08/16 16:55, Adam Baxter wrote:
> On 20 May 2016 11:46 PM, "Eyal Lebedinsky" <eyal at eyal.emu.id.au> wrote:
>> I have an ADSL modem/router that also provides VOIP. Call it 5.
>> Due to some ADSL sync problems I changed the setup to include a separate
> ADSL modem.
>> This one is actually also an ADSL modem/router. call it 55.
>> Both are configured to remote log to my main server.
>> I should say that I am not that familiar with SIP and the rest of the
> telephony protocols,
>> but this just caught my eye.
>> On checking the logs, looking for dropped ADSL line messages, I noticed
> that .55 now
>> reports this:
>>         syslog: proxy.c:211 INFO:Outgoing Call from:
> 026xxxxxxx at
>> which I think coincides with me making calls (using VOIP on 5). It lists
> my VOIP number.
>> Most of these messages are identical, but not all, I noticed a few
> unusual ones
>>         syslog: proxy.c:211 INFO:Outgoing Call from: 8001 at
>>         syslog: proxy.c:211 INFO:Outgoing Call from: 7001 at
>>         syslog: proxy.c:211 INFO:Outgoing Call from: 8001 at
>> I just made a call and got another
>>         syslog: proxy.c:211 INFO:Outgoing Call from: 8001 at
>> when the call was of course again from my own VOIP line.
>> What do these messages mean? Some are not coincident with any of my
> actual calls.
>> Maybe some in-band protocol messages? Maybe a proxy is confused on 55?
>> Probably just me not understanding the protocol.
> Hi Eyal,
> Are you still getting these messages in the logs?

I do not know.  The reason  I saw these is that I had two modems installed temporarily.
VOIP was handled by my modem (5) but ADSL was handled by a loaner (55). It is the loaner
that logged these messages. My modem does not show these.

 > Was your VoIP bill for the last few months normal?

Nothing unusual in my bills so this is one worry less. It was my first suspicion so
I checked my call log (online on my ISP, iinet) and nothing showed up.

> I think there's two separate things going on.
> The outgoing call that you made for testing was probably rewritten by the
> modem (look for a setting called SIP ALG). This is especially important for
> SIP clients that don't support NAT properly - anything Android based falls
> into this category, at least when I was testing it they were all based on
> the same PJSIP stack.
> If you do the test again and the outgoing call shows *your external IP*
> then it was rewritten on your behalf.
> The other IPs? There are bots that scan the IPv4 net (I've heard that can
> be done in 40 minutes these days) and try to call premium rate numbers to
> make some cash.

I suspected that these are scans, and maybe they are looking for vulnerable modems
that will allow them to make calls. I know that this happened once to our office
phone service (many years ago).

> --Adam


Eyal Lebedinsky (eyal at eyal.emu.id.au)

More information about the linux mailing list