What's new

NAT routers exposing real source port of device behind NAT

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

fonewiz

New Around Here
I have worked in the VoIP industry for quite a while and I am a little stumped on something I have noticed recently.

I administer a number of SIP based servers such as Asterisk, FreePBX, 3CX etc. Normally when a home users has a phone at his/her home behind their home router NAT device, the source port of the phone is different from the actual source port on the phone.

In very rare cases I see the source port exposed on the public interface as the same as the port on the phone (usually 5060). This is a problem because hackers see this in scans and start sending random calls to the end users phone at home. Especially annoying if it wakes them up at night LOL.

Here is an example of what I am explaining above:

Typical:
Phone (192.168.1.57:5060 > NAT Router Exposes x.x.x.x:18749 where x.x.x.x is the public IP on the NAT router.

When calls come in from the SIP server for that extension they go to x.x.x.x:18749 and are forwarded to the phone at 192.168.1.57:5060. All is well and since the port exposed to the world is NOT 5060, hackers scanning for SIP ports don't typically find it or care.

Sometimes:
Phone (192.168.1.57:5060 > NAT Router Exposes x.x.x.x:5060 where x.x.x.x is the public IP on the NAT router.

This is a problem for the reasons mentioned above.

So far, what I have done to resolve this is just change the end users phone local port to something other than 5060 and the random scans stop.

What I would like to know is if there is any other way to prevent your everyday home router from exposing the real port of the local device behind the NAT.

I don't really want to start messing with customer's routers but, I would like to know if there is a better fix than I just mentioned (changing the local port on the phone).

Yes, have the end user block everything to the phone except whitelisted IP's is another method but, it seems like overkill and requires me to mess with the customers router each time.

I have also seen situations where an office will have a router and every phone in the office tries to expose itself as 5060 on the same public IP. Of course this doesn't work either.

I know many routers have SIP features but I have mostly found those to cause more issues than they solve.

Many ideas on how to deal with this come to mind but I wanted to ask for the wisdom of the forum to help me decide best approach.

Thoughts? Thanks in advance for any help and for reading my long post!
 
Does your phone use UPNP?

Some things you can do are:
add a rule to prevent UPNP on that port
Make sure no port forwarding is present on that port.
Block layer 2 forwarding from the router to WAN (the physical port, WAN VLANs, WAN connection).
Add a firewall rule to block forwarding on that port except if it is to/from the SIP gateway.

From the looks of it you needed port forwarding/UPNP because it uses an external SIP gateway. Whitelisting the SIP gateway as the only forwarding allowed at that port should solve the problem.

What router do you use?

If i remember a phone/PC goes through 2 services before it can call out but it can receive calls from anyone because someone else could make their own SIP server and use that on your phone.
 
That's the thing, it's not my router. I handle the server side and the routers are whatever the customers are using. I just want to understand why it's happening and maybe on what routers it's likely to happen. I can get into the router and create rules but, I mostly want to avoid messing with their router when possible.

If it's an office environment then it's probably worth messing with the router rather than having to set each phone's local SIP port to a different number and try to keep track of all those.
 
Ah so you run your own SIP gateway. In this case you obviously need port forwarding but im going to assume that all your SIP traffic goes through the same port. In this case you'll need a configurable router.
1: When a customer authenticates with your SIP gateway (when their router and phone turn on and connects to you) add their IP to a whitelist
2: When a customer times out/disconnects remove their IP from whitelist (or have each whitelist entry valid for the timeout period). On my mikrotik router i do this for clients behind my network. When someone connects and is given an IP from my DHCP server i put them on a whitelist which can even be set to valid for a few seconds because it keeps refreshing the time as long as the client is on my network. I than add the destination request to a whitelist of 3 seconds for forwarding/proxy and to another list of IPs which i label as external and use a long expiry time (keeps a log of what IPs/websites have been visited).
3: Set up forwarding rules on your router using the lists. In the case of your service you would have your authenticated customer list and their phone number service (this can be like google, some phone company, etc which basically receives the data via IP packets as phone networks work as nowadays). Im not 100% sure how SIP works but if it can directly call a number on another phone company than you will need a rule to add this to a temporary whitelist but may make it difficult if that phone company isnt on your permanent whitelist if someone calls so having a whitelist of known phone company servers can be helpful but big which shouldnt be an issue if your router has a lot of RAM.
4: Drop all forwarding traffic on that port after you've accepted the whitelist traffic.

Another thing you can do on your SIP gateway is to keep an updated blacklist of known spammers/scammers just like there are lists for adblocking, malwares, spammer IPs. You can also add the blacklist to your router before accepting the whitelist (may actually deter some abuse on your service) as long as your service doesnt end up in the blacklist. The blacklist can be a combination of IPs and servers for different services or even regions that you know your customers never call to or receive from that are known scammers/spammers. If you use region blocking you may need to announce it on your service but it could save you from a bunch of legal problems if someone abused your service.

This configuration only needs to have you to configure your router and gateway but the customer wont need to configure theirs except have port forwarding/ UPNP set up for their VOIP phone. The customer doesnt need the security because the security comes from their VOIP phone/PC registering with your gateway so random traffic on their port gets dropped but can be vulnerable to a man in the middle attack which you cant do anything about as it could be their government spying on them.
 
Sorry if I wasn't clear.. I am the service provider, there is no issue with our routers where the SIP servers/gateways are. I am only trying to trouble shoot the customer end, they do NOT have a SIP server or gateway there, just a phone. Reading the rest of your post now :)
 
Ah i see. The solution is blacklisting which i listed in my previous post. Having a global and personal user blacklist would help a lot.
Edit: One thing the consumer can do is use UPNP instead of port forwarding because the port will only be opened when necessary. Many consumer routers have improper implementations of UPNP that can expose the device behind it.
 
Last edited:
Are you using SIP with TLS?

Just saying... if not, then anyone can send a SIP INVITE message to ring the phone, with TLS, the unknown/untrusted 3rd party will fail the challenge.
 
I'm only spitballing here ... the problem may be UPnP and / or a certain type of router not working properly. You can test UPnP by buying a few routers (used, cheap) with UPnP and see if that's the problem. You can also see if certain routers work and others don't, if you're lucky in the test routers you select. Although getting the customers involved isn't good, you might be able to see if any brand / model stands out as a problem.

Also, some goof at the customer end might have opened the port themselves via port forwarding. Do you have documentation available that suggests port forwarding and they just did what someone asked?
 
And perhaps follow up with various other SIP auth measures...

http://www.voip-info.org/wiki/view/SIP+Authentication

Was listening to a pod-cast over the weekend that described this very same problem - random rings from the interwebs...

This is a basic design issue - So I can appreciate getting it sorted, or your customers will move on to someone that has it sorted...

It's kinda of like Internet vs. Telecom - this one problem, you should take a telecom perspective.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top