OBiTALK Community

General Support => Day-to-Day Use => Topic started by: lacibaci on September 18, 2012, 05:14:45 PM

Title: SIP scammer caught and rejected
Post by: lacibaci on September 18, 2012, 05:14:45 PM
It's a beautiful thing to see 22 rejected calls, all between 5 - 6 am :)
BTW, the log is from my firewall/router packet capture.

(https://lh6.googleusercontent.com/-EN16j3H8l6Q/UFkOLlkyz3I/AAAAAAAABLA/7KaSe8_Se6o/s800/Screenshot%2520from%25202012-09-18%252020%253A03%253A25.png)

Title: Re: SIP scammer caught and rejected
Post by: jjtricket on September 18, 2012, 08:13:59 PM
Nice!
Title: Re: SIP scammer caught and rejected
Post by: JoeSchmoe007 on September 19, 2012, 10:46:52 AM
Can you elaborate on what I am seeing here? Someone tried to hack into your OBi?
Title: Re: SIP scammer caught and rejected
Post by: lacibaci on September 19, 2012, 11:07:55 AM
The "From" column contains the caller (from GEO data looks like someone from Spain?) and "To" column contains the number they're trying to call.  Notice that all numbers are international.
Title: Re: SIP scammer caught and rejected
Post by: JoeSchmoe007 on September 19, 2012, 11:21:53 AM
What kind of firewall do you use?

How was this blocked?

Why/how was your OBi targeted to begin with? Does it have external IP?
Title: Re: SIP scammer caught and rejected
Post by: lacibaci on September 19, 2012, 11:30:22 AM
My firewall/router is ZyXEL USG50.  There is nothing special about my setup - OBi unfortunately accepts invites for all numbers not just your own.
Ideally, OBi would accept calls for my own number only or (through config) from registered server. 
Title: Re: SIP scammer caught and rejected
Post by: JoeSchmoe007 on September 19, 2012, 11:33:56 AM
Does your OBi have external IP address? I just wonder how you were singled out for this attack.

What kind of rule you have in your router to reject these and allow valid calls?
Title: Re: SIP scammer caught and rejected
Post by: lacibaci on September 19, 2012, 11:45:05 AM
No, no external address for OBi. It is behind NAT. I don't think I was singled out - most likely your ATA is probed as well... I have my firewall packet capture on (temporarily) and OBi is configured to reject all callers I don't like (inbound route rule)
Title: Re: SIP scammer caught and rejected
Post by: JoeSchmoe007 on September 19, 2012, 11:50:07 AM
I am new to this. Are you saying that if you didn't reject these attempts in firewall scammer would be able to complete these calls and you would be charged?
Title: Re: SIP scammer caught and rejected
Post by: lacibaci on September 19, 2012, 11:58:10 AM
I suppose it is possible, although in my case they were not successful. The worst thing was that my phone rang in the middle of night.  See my other thread:
http://www.obitalk.com/forum/index.php?topic=4142.0
Title: Re: SIP scammer caught and rejected
Post by: JoeSchmoe007 on September 19, 2012, 12:08:29 PM
I read the thread you linked to.

So if Callcentric uses 500 IP-s - what kind of rule do you have in your router to filter this out?
Title: Re: SIP scammer caught and rejected
Post by: lacibaci on September 19, 2012, 03:06:59 PM
I could not use access list so I used inbound call route instead.
Title: Re: SIP scammer caught and rejected
Post by: JoeSchmoe007 on September 19, 2012, 04:39:46 PM
What do you have specified in inbound call route?
Title: Re: SIP scammer caught and rejected
Post by: QBZappy on September 19, 2012, 04:54:51 PM
lacibaci

OBi inboundcall call route shows rejected in the ZyXEL router log?
Title: Re: SIP scammer caught and rejected
Post by: JoeSchmoe007 on September 19, 2012, 04:57:43 PM
Quote from: QBZappy on September 19, 2012, 04:54:51 PM
lacibaci

OBi inboundcall call route shows rejected in the ZyXEL router log?
I guess lacibaci specified something in OBi inbound call route that causes call to drop and network connection gets rejected in the router.
Title: Re: SIP scammer caught and rejected
Post by: ianobi on September 19, 2012, 11:47:17 PM
He does indeed! See:

http://www.obitalk.com/forum/index.php?topic=4067.msg27103#msg27103

Title: Re: SIP scammer caught and rejected
Post by: lacibaci on September 22, 2012, 09:01:39 PM
Quote from: QBZappy on September 19, 2012, 04:54:51 PM
lacibaci

OBi inboundcall call route shows rejected in the ZyXEL router log?

Sorry, I missed your message. Yes, if OBi rejects the call (using black hole {xxx,}), you can see it in firewall's packet capture.  It just happens that my firewall (ZyWALL USG) logs packets in a format that can be read with Wireshark which has a very nice tool to look at SIP and VOIP.