Grandstream IP phones getting dead calls from strange numbers

[Ichinisan]

Talked to someone in a different department at my employer. They sell IP phone service to local commercial customers. Previously, they've been using Cisco Matrix phones that use "Skinny" (SCCP) protocol, but they've recently started using GrandStream IP phones that use SIP. Multiple users have reported getting phone calls from strange numbers(like 100, 1000). The line is always dead when they try to answer. We checked with the company that enables the phone service for us, and they said these incoming calls with the provided timestamps did not pass through their voice switch, so it must be a device-to-device call using SIP.

I told the commercial phone department that doesn't make sense to me. Customers are experiencing this behind a NAT router. Their phones do not have public Internet-accessible IP addresses, and it's unlikely that the router is configured to forward incoming connections from the Internet. It seems to imply that another device on the LAN is contacting the phones. How likely is it a LAN computer is compromised and making strange IP calls to SIP phones on the LAN?

 

[mxnerd]

https://www.google.com/search?q=ip+phones+get+1000+&ie=utf-8&oe=utf-8#q=ghost+calls+from+1000

 

[Ichinisan]

https://www.google.com/search?q=ip+phones+get+1000+&ie=utf-8&oe=utf-8#q=ghost+calls+from+1000

So it sounds like they're saying it's a malicious tool like "SIPVicious" trying to brute-force the device / SIP password.

Multiple customers would need to have compromised computers/devices on their LAN for these brute force attempts to be reaching the SIP phones at all. How likely is that?

 

[mxnerd]

Don't know. I played with software SIP server and sipphone like 3CX, Elastix, PBX in a flash, etc. a while ago. Dreaming setting up PBX at home. Finally bought Ooma.

Maybe this?

http://www.dslreports.com/forum/r28035253-Receiving-calls-from-name-number-100-that-don-t-get-logged

Or is it possible the SIP servers in your company were compromised?

 

[PliotronX]

Interesting, looks like you'll have to start a mass scanning (hopefully you have endpoint software to facilitate) and/or capture some packets to trace the originating IP/FQDN.

 

[drebo]

You'll need to packet capture to see source and destination.

Most likely cause is a misconfiguration somewhere allowing sip traffic that shouldn't be allowed. Just be thankful you're not being relayed off.

 

[mxnerd]

http://www.grandstream.com/support/faq/troubleshooting

Q: Why is my phone ringing in the middle of the night/day, but no one is there?

Voip phones or ATA can easily be attacked by an intruder with the purpose of annoying or placing a telemarketing call. This type of hacking nowadays seems more often. Grandstream has developed a new protection in their sip phones and ATAs to avoid this from happening, rejecting all kind of calls that are not coming from the legit proxy. This configuration needs to be enabled by the user. Here I explain where and how we call the options on each model:

HT502/503 and GXW40xx:
- Validate Incoming SIP Message
- Check SIP User ID for incoming INVITE
- Allow Incoming SIP Messages from SIP Proxy Only

GXP20xx and GXP21xx/14xx:
- Check SIP User ID for incoming INVITE

GXV31XX:
- Validate Incoming Messages


https://www.reddit.com/r/VOIP/comments/30plms/ghost_calls_from_short_numbers/

https://support.fathomvoice.com/customer/portal/articles/1843465-ghost-calls-sip-scanners