Thanks for the reply Levi.
Speaking of the attack. I also noticed these in my logs and as far as I know this is not my numbers"676697360". Could you please explain why this would show up? I have huge entries like this from different numbers starting from 100 to 599 and few others.
06:12:33.118 SIP.STACK MSG Rx: UDP src=182.140.145.17:5066 dst=xxx.xxx.xxx.94:5060
06:12:33.119 SIP.STACK MSG REGISTER sip:676697360@xxx.xxx.xxx.94 SIP/2.0
06:12:33.119 SIP.STACK MSG Via: SIP/2.0/UDP 127.0.0.1:5066;branch=z9hG4bK-2558032309;rport
06:12:33.119 SIP.STACK MSG Content-Length: 0
06:12:33.119 SIP.STACK MSG From: "676697360"<sip:676697360@xxx.xxx.xxx.94>; tag=3637363639373336300132303234333531383531
06:12:33.119 SIP.STACK MSG Accept: application/sdp
06:12:33.119 SIP.STACK MSG User-Agent: friendly-scanner
06:12:33.119 SIP.STACK MSG To: "676697360"<sip:676697360@xxx.xxx.xxx.94>
06:12:33.120 SIP.STACK MSG Contact: sip:676697360@xxx.xxx.xxx.94
06:12:33.120 SIP.STACK MSG CSeq: 1 REGISTER
06:12:33.120 SIP.STACK MSG Call-ID: 1206026468
06:12:33.120 SIP.STACK MSG Max-Forwards: 70
06:12:33.120 SIP.STACK MSG
06:12:33.123 SIP.STACK MSG Tx: UDP src=xxx.xxx.xxx.94:5060 dst=182.140.145.17:5066
06:12:33.123 SIP.STACK MSG SIP/2.0 501 Not Implemented
06:12:33.123 SIP.STACK MSG From: "676697360"<sip:676697360@xxx.xxx.xxx.94>;tag=3637363639373336300132303234333531383531
06:12:33.123 SIP.STACK MSG To: "676697360"<sip:676697360@xxx.xxx.xxx.94>;tag=3bc4628-0-13c4-4b6d0-34ae633c-4b6d0
06:12:33.123 SIP.STACK MSG Call-ID: 1206026468
06:12:33.123 SIP.STACK MSG CSeq: 1 REGISTER
06:12:33.123 SIP.STACK MSG Via: SIP/2.0/UDP 127.0.0.1:5066;received=182.140.145.17;rport=5066;branch=z9hG4bK-2558032309
06:12:33.124 SIP.STACK MSG Content-Length: 0
06:12:33.124 SIP.STACK MSG
I branched this question to a new topic. If you are constantly receiving SIP REGISTER messages for phone numbers that are not assigned to you, you may be under a SIP attack. One way to prevent this is the create an access-list (ACL) that allows SIP traffic from your SIP server only. Then you will apply this ACL to the public facing policy-class. For example, if your SIP server had the IP address of 1.1.1.1:
ip access-list extended SIP-SERVER
permit udp host 1.1.1.1 any eq 5060
ip policy-class PUBLIC
allow list SIP-SERVER self
This configuration will only allow uninitiated inbound SIP traffic from the specified SIP server's IP address.
I hope that makes sense, but please to not hesitate to reply to this post with additional questions. I will be happy to help in any way I can.
Levi
I branched this question to a new topic. If you are constantly receiving SIP REGISTER messages for phone numbers that are not assigned to you, you may be under a SIP attack. One way to prevent this is the create an access-list (ACL) that allows SIP traffic from your SIP server only. Then you will apply this ACL to the public facing policy-class. For example, if your SIP server had the IP address of 1.1.1.1:
ip access-list extended SIP-SERVER
permit udp host 1.1.1.1 any eq 5060
ip policy-class PUBLIC
allow list SIP-SERVER self
This configuration will only allow uninitiated inbound SIP traffic from the specified SIP server's IP address.
I hope that makes sense, but please to not hesitate to reply to this post with additional questions. I will be happy to help in any way I can.
Levi
I marked this question as "assumed answered," but if you have any follow up questions related to this post, please do not hesitate to reply. I will be happy to help in any way I can.
Levi
Mcdeeiis,
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
David