SIP scammer caught and rejected

lacibaci · September 18, 2012, 05:14:45 PM

It's a beautiful thing to see 22 rejected calls, all between 5 - 6 am

BTW, the log is from my firewall/router packet capture.

jjtricket · September 18, 2012, 08:13:59 PM

Nice!

JoeSchmoe007 · September 19, 2012, 10:46:52 AM

Can you elaborate on what I am seeing here? Someone tried to hack into your OBi?

lacibaci · September 19, 2012, 11:07:55 AM

The "From" column contains the caller (from GEO data looks like someone from Spain?) and "To" column contains the number they're trying to call. Notice that all numbers are international.

JoeSchmoe007 · September 19, 2012, 11:21:53 AM

What kind of firewall do you use?

How was this blocked?

Why/how was your OBi targeted to begin with? Does it have external IP?

lacibaci · September 19, 2012, 11:30:22 AM

My firewall/router is ZyXEL USG50. There is nothing special about my setup - OBi unfortunately accepts invites for all numbers not just your own.
Ideally, OBi would accept calls for my own number only or (through config) from registered server.

JoeSchmoe007 · September 19, 2012, 11:33:56 AM

Does your OBi have external IP address? I just wonder how you were singled out for this attack.

What kind of rule you have in your router to reject these and allow valid calls?

lacibaci · September 19, 2012, 11:45:05 AM

No, no external address for OBi. It is behind NAT. I don't think I was singled out - most likely your ATA is probed as well... I have my firewall packet capture on (temporarily) and OBi is configured to reject all callers I don't like (inbound route rule)

JoeSchmoe007 · September 19, 2012, 11:50:07 AM

I am new to this. Are you saying that if you didn't reject these attempts in firewall scammer would be able to complete these calls and you would be charged?

lacibaci · September 19, 2012, 11:58:10 AM

I suppose it is possible, although in my case they were not successful. The worst thing was that my phone rang in the middle of night. See my other thread:
http://www.obitalk.com/forum/index.php?topic=4142.0

JoeSchmoe007 · September 19, 2012, 12:08:29 PM

I read the thread you linked to.

So if Callcentric uses 500 IP-s - what kind of rule do you have in your router to filter this out?

lacibaci · September 19, 2012, 03:06:59 PM

I could not use access list so I used inbound call route instead.

JoeSchmoe007 · September 19, 2012, 04:39:46 PM

What do you have specified in inbound call route?

QBZappy · September 19, 2012, 04:54:51 PM

lacibaci

OBi inboundcall call route shows rejected in the ZyXEL router log?

JoeSchmoe007 · September 19, 2012, 04:57:43 PM

Quote from: QBZappy on September 19, 2012, 04:54:51 PM
lacibaci

OBi inboundcall call route shows rejected in the ZyXEL router log?

I guess lacibaci specified something in OBi inbound call route that causes call to drop and network connection gets rejected in the router.

ianobi · September 19, 2012, 11:47:17 PM

He does indeed! See:

http://www.obitalk.com/forum/index.php?topic=4067.msg27103#msg27103

lacibaci · September 22, 2012, 09:01:39 PM

Quote from: QBZappy on September 19, 2012, 04:54:51 PM
lacibaci

OBi inboundcall call route shows rejected in the ZyXEL router log?

Sorry, I missed your message. Yes, if OBi rejects the call (using black hole {xxx,}), you can see it in firewall's packet capture. It just happens that my firewall (ZyWALL USG) logs packets in a format that can be read with Wireshark which has a very nice tool to look at SIP and VOIP.

News:

SIP scammer caught and rejected