08-29-2018 01:39 AM - edited 03-18-2019 12:30 PM
Hello,
If I run:
undebug all debug ccsip messages clear log show log
I can see a lot of messages like this one:
Aug 29 10:21:03.132 CET: //39493/48D8C95F936B/SIP/Msg/ccsipDisplayMsg: Sent: SIP/2.0 488 Not Acceptable Media Via: SIP/2.0/UDP 163.172.78.130:52426;branch=z9hG4bK1440257586 From: <sip:1001@W.X.Y.Z>;tag=1991581129 To: <sip:+55000.48656100974@W.X.Y.Z>;tag=38D6BEE-D11 Call-ID: 1340097834-1952427309-337034897 CSeq: 1 INVITE Reason: Q.850;cause=65 Content-Length: 0
W.X.Y.Z being my public IP.
And, in the file attached, you can find some more messages.
Can you tell me what this is?
Thank you.
08-29-2018 01:55 AM
08-29-2018 03:15 AM
Hello and thank you for your answer.
The "g711ulaw" is not a codec that is supported by my SIP trunk provider.
My SIP trunk provider supports codecs "g722-64", "g711alaw" and "g729r8".
For now, my telephony system is in a "lab" state.
What I mean is that I am not expecting phone calls from the outside.
The only "valid" phone calls that can come from the outside are the ones I make myself for my tests.
> I'm seeing that the INVITE that comes with "m=audio 25282 RTP/AVP 0 101", the router responds with 488.
So, is it some kind of bot trying to do something and what?
> There is another INVITE that arrives with "m=audio 5075 RTP/AVP 18 0 8 101" and this one is accepted by the router.
Is this INVITE message the one at line 251?
Is the message "SIP/2.0 403 Forbidden" at line 277 related to that INVITE?
Thank you.
08-29-2018 07:41 AM
08-30-2018 01:29 AM
Hello and thank you for your answers.
> When a call comes in with g711ulaw codec, the 488 is expected behavior from the router.
Ok. Thank you.
> Yes, this looks like a bot somewhere in your network.
How can there be such a bot in my network?
> The INVITE at line 25 is coming from User-Agent: Linksys-SPA942. Please check that device.
I have no such device on my network.
> The 403 forbidden is again expected from the router as the source IP for that INVITE message is not trusted.
Ok. Thank you.
Can you explain to me what are these bots trying to do?
Are they trying to place phone calls on behalf of my system and phone subscription?
(Sorry if it looks paranoïd).
Is this normal for my system to receive all these attempts?
You nicely explained above it is normal behavior but
ecologically speaking isn't it a huge loss of energy?
Is there something I can do to prevent these attempts better?
Or do I have to let them be?
Thank you.
08-30-2018 08:57 AM
09-03-2018 06:40 AM
Hello,
Sorry for my late answer.
I have set up a zone-based firewall on an ISR4331.
I think that this firewall only allows SIP traffic from inside my system to my SIP trunk provider with inspect rule.
And because its default policy is to drop packets, I think I am not accepting any connection from the outside...
Yet, I still have these attempts which end up with "SIP/2.0 488 Not Acceptable Media" or "SIP/2.0 403 Forbidden" messages.
So I don't know if that firewall is correctly setup or not.
Note that no abusive call was placed on behalf of my system.
If I observe these log messages does it mean that some undesired traffic passed through the firewall?
Or are these just attempts that were recorded in the logs and were successfully blocked by the firewall?
(Just as a reminder, I ran "debug ccsip messages").
Best regards.
09-04-2018 09:34 PM
09-05-2018 12:58 AM
Thanks a lot for this helpful clarification.
Please note that I started another thread in "Cisco Community -> Technology and Support -> Security -> Firewalls" which is https://community.cisco.com/t5/firewalls/zone-based-firewall-isr4331-sip-traffic/m-p/3699863#M172467
If you feel like going on helping me...
Best regards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: