How about a temporary fix by blocking all 5060 traffic that does not come from your own firewall list - ITSP, Support IP addresses, Remote locations, etc., and then blocking all others? From a security standpoint, it's probably the right thing to do.
From: Matt White [mailto:mwh...@thesummit-grp.com] Sent: Saturday, August 07, 2010 2:43 PM To: thod...@verizon.net Cc: sipx-users@list.sipfoundry.org Subject: RE: [sipx-users] Blocking SIP URI Calls from the innternet Yes, that is exactly the scenario I'm describing. This customer actually already has a call block feature with their ITSP...ie to block anonymous calls and a few others. But the calls did not cease. When we looked into it the calls where not coming in via the SIP trunk but directly to port 5060 from sip servers in another country. So it seems reasonable to me that a feature that simply says "do not accept calls not from my itsp" would be one method to help control this. -M >>> "Todd Hodgen" 08/07/10 12:47 PM >>> There is an analogy that works well here. Today, you can call any telephone number you want, ring the phone and hang up. This isn't much different, a user can use sip to call directly into a sip phone. And, as kids I think many of us can recall playing pranks on people over the phone - caller ID took the fun out of that. L Somebody ringing my PSTN phone can ring the phone, but they can't call out on it. Similarly, someone getting a two way audio path up with a SIP phone, can just do that, but can't call out. What I think Matt is proposing is a solution that says if you are calling one of the devices on my network, you need to have my permission to do so. Similar products have come on the market for the PSTN due to unsolicited calling that requires you to authenticate you are approved to call that PSTN number, before it would ring the telephone at the residence. Call blockers are what many call them. Example item - http://www.amazon.com/Caller-Phone-Ring-Control-Completed/dp/B0007R5TQ6/ref= sr_1_10?ie=UTF8&s=electronics&qid=1281199141&sr=8-10 If I'm understanding Matt correctly, he is suggesting a method of turning off the ability to ring a phone on your network randomly from the outside, or a method similar to the device that kept nuisance calls out. To me it is legitimate, as the last thing any business wants is some 10 year old hacker call all of the phones on the network playing "phone ring ditch". I agree with Matt, this isn't a protocol issue, but a method of controlling if each individual phone will participate in that portion of the protocol, or deny it explicitly. A URI access list comes to mind as well, saying I will accept incoming URI calls if they come from these domains, or these ranges of IP addresses. You could bounce unwanted URI calls to a common extension that had an announcement of a method to get permission to URL call into the system also. I think he brings up an excellent point that I hadn't considered. I'm sure someday I am going to get a call from a customer that they are getting prank calls that they want to end. Geez.
_______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users/
