I have worked in the VoIP industry for quite a while and I am a little stumped on something I have noticed recently.
I administer a number of SIP based servers such as Asterisk, FreePBX, 3CX etc. Normally when a home users has a phone at his/her home behind their home router NAT device, the source port of the phone is different from the actual source port on the phone.
In very rare cases I see the source port exposed on the public interface as the same as the port on the phone (usually 5060). This is a problem because hackers see this in scans and start sending random calls to the end users phone at home. Especially annoying if it wakes them up at night LOL.
Here is an example of what I am explaining above:
Typical:
Phone (192.168.1.57:5060 > NAT Router Exposes x.x.x.x:18749 where x.x.x.x is the public IP on the NAT router.
When calls come in from the SIP server for that extension they go to x.x.x.x:18749 and are forwarded to the phone at 192.168.1.57:5060. All is well and since the port exposed to the world is NOT 5060, hackers scanning for SIP ports don't typically find it or care.
Sometimes:
Phone (192.168.1.57:5060 > NAT Router Exposes x.x.x.x:5060 where x.x.x.x is the public IP on the NAT router.
This is a problem for the reasons mentioned above.
So far, what I have done to resolve this is just change the end users phone local port to something other than 5060 and the random scans stop.
What I would like to know is if there is any other way to prevent your everyday home router from exposing the real port of the local device behind the NAT.
I don't really want to start messing with customer's routers but, I would like to know if there is a better fix than I just mentioned (changing the local port on the phone).
Yes, have the end user block everything to the phone except whitelisted IP's is another method but, it seems like overkill and requires me to mess with the customers router each time.
I have also seen situations where an office will have a router and every phone in the office tries to expose itself as 5060 on the same public IP. Of course this doesn't work either.
I know many routers have SIP features but I have mostly found those to cause more issues than they solve.
Many ideas on how to deal with this come to mind but I wanted to ask for the wisdom of the forum to help me decide best approach.
Thoughts? Thanks in advance for any help and for reading my long post!
I administer a number of SIP based servers such as Asterisk, FreePBX, 3CX etc. Normally when a home users has a phone at his/her home behind their home router NAT device, the source port of the phone is different from the actual source port on the phone.
In very rare cases I see the source port exposed on the public interface as the same as the port on the phone (usually 5060). This is a problem because hackers see this in scans and start sending random calls to the end users phone at home. Especially annoying if it wakes them up at night LOL.
Here is an example of what I am explaining above:
Typical:
Phone (192.168.1.57:5060 > NAT Router Exposes x.x.x.x:18749 where x.x.x.x is the public IP on the NAT router.
When calls come in from the SIP server for that extension they go to x.x.x.x:18749 and are forwarded to the phone at 192.168.1.57:5060. All is well and since the port exposed to the world is NOT 5060, hackers scanning for SIP ports don't typically find it or care.
Sometimes:
Phone (192.168.1.57:5060 > NAT Router Exposes x.x.x.x:5060 where x.x.x.x is the public IP on the NAT router.
This is a problem for the reasons mentioned above.
So far, what I have done to resolve this is just change the end users phone local port to something other than 5060 and the random scans stop.
What I would like to know is if there is any other way to prevent your everyday home router from exposing the real port of the local device behind the NAT.
I don't really want to start messing with customer's routers but, I would like to know if there is a better fix than I just mentioned (changing the local port on the phone).
Yes, have the end user block everything to the phone except whitelisted IP's is another method but, it seems like overkill and requires me to mess with the customers router each time.
I have also seen situations where an office will have a router and every phone in the office tries to expose itself as 5060 on the same public IP. Of course this doesn't work either.
I know many routers have SIP features but I have mostly found those to cause more issues than they solve.
Many ideas on how to deal with this come to mind but I wanted to ask for the wisdom of the forum to help me decide best approach.
Thoughts? Thanks in advance for any help and for reading my long post!