Hello and thank you for your answer.

The "g711ulaw" is not a codec that is supported by my SIP trunk provider.
My SIP trunk provider supports codecs "g722-64", "g711alaw" and "g729r8".

For now, my telephony system is in a "lab" state.
What I mean is that I am not expecting phone calls from the outside.
The only "valid" phone calls that can come from the outside are the ones I make myself for my tests.

> I'm seeing that the INVITE that comes with "m=audio 25282 RTP/AVP 0 101", the router responds with 488.
So, is it some kind of bot trying to do something and what?

 

> There is another INVITE that arrives with "m=audio 5075 RTP/AVP 18 0 8 101" and this one is accepted by the router.
Is this INVITE message the one at line 251?
Is the message "SIP/2.0 403 Forbidden" at line 277 related to that INVITE?

Thank you.

The "g711ulaw" is not a codec that is supported by my SIP trunk provider.
My SIP trunk provider supports codecs "g722-64", "g711alaw" and "g729r8".
>> I would suggest using a voice class codec that only includes the above codecs and apply that to the dial-peer then. When a call comes in with g711ulaw codec, the 488 is expected behavior from the router.

For now, my telephony system is in a "lab" state.
What I mean is that I am not expecting phone calls from the outside.
The only "valid" phone calls that can come from the outside are the ones I make myself for my tests.

> I'm seeing that the INVITE that comes with "m=audio 25282 RTP/AVP 0 101", the router responds with 488.
So, is it some kind of bot trying to do something and what?
>> Yes, this looks like a bot somewhere in your network. The INVITE at line 25 is coming from User-Agent: Linksys-SPA942. Please check that device.


> There is another INVITE that arrives with "m=audio 5075 RTP/AVP 18 0 8 101" and this one is accepted by the router.
Is this INVITE message the one at line 251?
Is the message "SIP/2.0 403 Forbidden" at line 277 related to that INVITE?
>> Yes this is that INVITE. That's coming from a software called sipcli. User-Agent: sipcli/v1.8. This also looks like a bot. The 403 forbidden is again expected from the router as the source IP for that INVITE message is not trusted.

Hello and thank you for your answers.

> When a call comes in with g711ulaw codec, the 488 is expected behavior from the router.
Ok. Thank you.

> Yes, this looks like a bot somewhere in your network.
How can there be such a bot in my network?

> The INVITE at line 25 is coming from User-Agent: Linksys-SPA942. Please check that device.
I have no such device on my network.

> The 403 forbidden is again expected from the router as the source IP for that INVITE message is not trusted.
Ok. Thank you.

Can you explain to me what are these bots trying to do?
Are they trying to place phone calls on behalf of my system and phone subscription?
(Sorry if it looks paranoïd).

Is this normal for my system to receive all these attempts?
You nicely explained above it is normal behavior but
ecologically speaking isn't it a huge loss of energy?

Is there something I can do to prevent these attempts better?
Or do I have to let them be?

Thank you.

Yes these bots are trying to use your system to make calls out and probably cause you to get heavily billed by your ITSP.
No it is not normal for your router to receive these call attempts. They are coming from malicious systems. If you have a firewall I would suggest using it to block requests from unknown IPs.
The alternative is to put in ACLs on your router that only permit SIP packets from the subnets that you trust and not unknown IPs. This way they will drop these packets and your router doesn't have to process them.

Hello,

Sorry for my late answer.

I have set up a zone-based firewall on an ISR4331.

I think that this firewall only allows SIP traffic from inside my system to my SIP trunk provider with inspect rule.

And because its default policy is to drop packets, I think I am not accepting any connection from the outside...

Yet, I still have these attempts which end up with "SIP/2.0 488 Not Acceptable Media" or "SIP/2.0 403 Forbidden" messages.

So I don't know if that firewall is correctly setup or not.

Note that no abusive call was placed on behalf of my system.

If I observe these log messages does it mean that some undesired traffic passed through the firewall?

Or are these just attempts that were recorded in the logs and were successfully blocked by the firewall?

(Just as a reminder, I ran "debug ccsip messages").

Best regards.

The firewall is not blocking those packets because we are seeing them in the debug ccsip message. If the ZBFW was blocking these packets successfully, they would not have to be processed by the SIP layer in the router, so we wouldn't see any debugs. We would see debugs in the ZBFW layer.

Thanks a lot for this helpful clarification.

Please note that I started another thread in "Cisco Community -> Technology and Support -> Security -> Firewalls" which is https://community.cisco.com/t5/firewalls/zone-based-firewall-isr4331-sip-traffic/m-p/3699863#M172467

If you feel like going on helping me...

Best regards.