On Fri, 2010-02-19 at 11:45 -0500, Jeff Gilmore wrote: > I saw in my call detail records a block of about 50 call attempts made > within 2 minutes minutes of each other to international numbers, and > using a variety of prefixes. All calls showed the status "failed", so > I presume they did not connect. The from field was "sip". Here is an > example: > > sip 9011441383417547 2/13/10 5:02 AM 0 seconds Failed > > My guess is that my server was being probed to see if it could be > hijacked for free calls. Does that seem right?
Not unlikely. > What exactly does it mean to have "sip" as the From? Nothing - did you find the full messages in the logs, or are you just looking at what's displayed in the CDR view? The view is designed to show you phone numbers, and if the attacker didn't use something that looked like a phone number, then the display filter may have dropped some parts of the address. > Is there a checklist for security measures to ensure that an > installation is reasonably protected from such attempts? Yes: http://wiki.sipfoundry.org/display/xecsuserV4r0/Securing+Calls+to+the+PSTN >From your description, it sounds as though everything worked exactly as it should have, and the attacker discovered quickly that there was no opportunity for making calls at your expense. Congratulations. If you are going to take advantage of the good things that come with SIP, like easy support of mobile remote users, there's no way to prevent such call attempts from coming _into_ your system, but as long as you've taken the necessary precautions to keep them from going back out again, such attempts are essentially harmless. Just in case anyone out there needs motivation to read and check that list against their own system - the weekend before I first wrote that list, Pingtels own installation broke a couple of those rules (someone was doing testing and neglected to turn the security back on afterward) and we discovered that someone out on the net had set up a calling service to Cuba (calls to Cuba from the US are _very_ expensive). By great luck, it was discovered just a couple of hours after it started on a Friday evening, but even so the bill was a lot of money - had it gone on all weekend it could easily have been tens of thousands of dollars or maybe more (and we only had a few POTS lines for outbound calls). _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
