Port Scanning?

[gls101]

We got two phone calls within 5 minutes of each other at 4AM this morning from a caller with a CID of "asterisk". When we answered, there was no one there in both cases. This has happened before, also in the middle of the night. (Obviously from someone with an asterisk pbx.)

The calls didn't appear in call history of the CP, so I couldn't find a way to block them for the future.

I opened a ticket, and the response was that the calls didn't come from Voipo's network - that someone is port scanning large blocks of IP addresses from my ISP, looking for open PBX's to place free phone calls through.

They said there was nothing they could do, and I should just ignore it until they stop the scanning.

I really need a better response than that, given that these calls come in the middle of the night when we're sleeping. It's hard to ignore a ringing phone at 4AM. And I can't just put it in DND overnight.

Is anyone else experiencing this?

We use a Grandstream HT502 ATA, and it's installed in front of the router. Because of it's placement in front of the router, I can't filter or monitor for tracing purposes, caller's IP addresses that go to the ATA.

Does the Grandstream support any kind of firewall that would restrict IP addresses that it would respond to? Or, lacking that, is there any setup parameter that would say "only link and respond to IP address w.x.y.z"? And does the Grandstream support syslog, so I could at least log the caller's IP address and make his/her life miserable in the middle of THEIR sleep?

I would just move the ATA behind the router and let the router handle the filtering, but the reason we have the Grandstream in the first place is we had major problems with the previous Linksys ATA behind the router (no audio, dropped calls, etc.) which have all been completely resolved by putting the ATA in front of the router.

Of course, then it's exposed for all the world to take a whack at it.

[lost_]

Have you tried putting the ATA behind the router fw and do port-forwarding for the port range for VOIPo's ip's? (TCP 5060-5080, UDP 5004-65000 - a bit excessive, but that's what Tim recommended).

Regarding retaliating, that would be pointless, really -- just block and move on.

[stevech]

My Grandstream is behind my router (on the LAN side) and no port forwarding of those ports to the ATA. No issues.

[VOIPoTim]

We got two phone calls within 5 minutes of each other at 4AM this morning from a caller with a CID of "asterisk". When we answered, there was no one there in both cases. This has happened before, also in the middle of the night. (Obviously from someone with an asterisk pbx.)

The calls didn't appear in call history of the CP, so I couldn't find a way to block them for the future.

I opened a ticket, and the response was that the calls didn't come from Voipo's network - that someone is port scanning large blocks of IP addresses from my ISP, looking for open PBX's to place free phone calls through.

They said there was nothing they could do, and I should just ignore it until they stop the scanning.

I really need a better response than that, given that these calls come in the middle of the night when we're sleeping. It's hard to ignore a ringing phone at 4AM. And I can't just put it in DND overnight.

Is anyone else experiencing this?

We use a Grandstream HT502 ATA, and it's installed in front of the router. Because of it's placement in front of the router, I can't filter or monitor for tracing purposes, caller's IP addresses that go to the ATA.

Does the Grandstream support any kind of firewall that would restrict IP addresses that it would respond to? Or, lacking that, is there any setup parameter that would say "only link and respond to IP address w.x.y.z"? And does the Grandstream support syslog, so I could at least log the caller's IP address and make his/her life miserable in the middle of THEIR sleep?

I would just move the ATA behind the router and let the router handle the filtering, but the reason we have the Grandstream in the first place is we had major problems with the previous Linksys ATA behind the router (no audio, dropped calls, etc.) which have all been completely resolved by putting the ATA in front of the router.

Of course, then it's exposed for all the world to take a whack at it.

There's an option in the Grandstream to only accept SIP calls from the server you're connected to.

I'm not 100% sure (I don't get into the tech side of things) but I don't see any reason this couldn't be enabled based on my knowledge.

Open a ticket and ask for Tier II and this can be enabled for you to see if it resolves your issue.

[voipinit]

^ disable direct IP call in advanced settings

[gls101]

There's an option in the Grandstream to only accept SIP calls from the server you're connected to.

I'm not 100% sure (I don't get into the tech side of things) but I don't see any reason this couldn't be enabled based on my knowledge.

Open a ticket and ask for Tier II and this can be enabled for you to see if it resolves your issue.

Ticket submitted.

Thanks for the suggestion. Hopefully this or something similar can resolve it.

I'll keep you all informed of how it goes.

Gary Sanders

[gls101]

Have you tried putting the ATA behind the router fw and do port-forwarding for the port range for VOIPo's ip's? (TCP 5060-5080, UDP 5004-65000 - a bit excessive, but that's what Tim recommended).

No I haven't. As I said in the original post, I had enormous problems with the Voipo Linksys ATA behind the router. I switched out three separate brands of routers, port forwarded 'till I was blue in the face, rebooted after every configuration change, verified that the changes stuck, etc. (Note that I have 2 other Linksys ATA's (one for NextAlarm, 1 for Gizmo5) behind the router that run 24/7 without a hiccup - and without needing any port forwarding.)

After switching to the Grandstream and putting it in front, EVERY problem has disappeared. The thing has turned from a monster into a pussycat. So, I don't want to tempt fate.

Hopefully the suggestions made by Tim and voipinit can resolve the problems.

Gary Sanders