Discussion:
[Linphone-developers] issue with constant calls from "1" or "++++"
Jason Manley
2018-08-14 02:36:22 UTC
Permalink
When linphone is running, I am getting constant calls (about once per
minute) from numbers such as "1" and "++++" and can't find anything in
settings, nor any documentation as to how to turn this off. This
happens whether I am connected to a SIP provider or not.
Russell Treleaven
2018-08-14 02:44:57 UTC
Permalink
Sounds like you have created inbound firewall rules. For your usage model
those usually not required.
Would explain more but typing with one thumb.
Post by Jason Manley
When linphone is running, I am getting constant calls (about once per
minute) from numbers such as "1" and "++++" and can't find anything in
settings, nor any documentation as to how to turn this off. This
happens whether I am connected to a SIP provider or not.
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
Robert Phair
2018-08-15 18:05:36 UTC
Permalink
What should we do if we see this problem _without_ ever having created
any firewall rules?  I am seeing this myself with a generic setup:
default settings with one registered SIP provider having "1000" as an
extension.  Incoming calls at 1 minute intervals from "1000" in place of
the "1" and "++++" in original report.

I've had 4.1.1 installed (on Ubuntu 18.04) for a couple weeks now, but
only saw this problem after my first incoming call was received.  I
would love to hear the further info that @Russell was suggesting.  Note
the problem has gone away after restarting Linphone a couple of times
(once wasn't enough).
Post by Russell Treleaven
Sounds like you have created inbound firewall rules. For your usage
model those usually not required.
Would explain more but typing with one thumb.
When linphone is running, I am getting constant calls (about once per
minute) from numbers such as "1" and "++++" and can't find anything in
settings, nor any documentation as to how to turn this off. This
happens whether I am connected to a SIP provider or not.
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
Russell Treleaven
2018-08-15 19:41:07 UTC
Permalink
https://en.wikipedia.org/wiki/Network_address_translation#Methods_of_translation

If you are using UDP for signalling its easier to get through the firewall.
The hacker can spoof his source address and port address to appear as your
ITSP.

A UDP state-full pinhole is typically just kept open by a timer.
Your outbound UDP packet creates a pinhole and it is kept open by a timer
of $n seconds which is reset by any packet sent or received that match the
pinhole.
The hacker does not need to get any response from you to make your phone
ring.

A TCP state-full pinhole can be a bit more sophisticated because it can use
the connection establishment and connection termination features of TCP to
be smarter about establishing and destroying the pinhole.

With TCP its harder for hacker to spoof his source address as the TCP
handshake
https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment
must take place before the INVITE can make it up the network stack to your
sip user agent.

Robert it could be...
-your edge device is using a less restrictive form of nat.
-or the hacker is spoofing their source address and source port to appear
like your ITSP
-or the attack is coming from within your network
-or you have inbound rules on your edge device
-something else I have not thought of

Suggest you use TCP if your ITSP supports it.
What should we do if we see this problem *without* ever having created
any firewall rules? I am seeing this myself with a generic setup: default
settings with one registered SIP provider having "1000" as an extension.
Incoming calls at 1 minute intervals from "1000" in place of the "1" and
"++++" in original report.
I've had 4.1.1 installed (on Ubuntu 18.04) for a couple weeks now, but
only saw this problem after my first incoming call was received. I would
problem has gone away after restarting Linphone a couple of times (once
wasn't enough).
Sounds like you have created inbound firewall rules. For your usage model
those usually not required.
Would explain more but typing with one thumb.
Post by Jason Manley
When linphone is running, I am getting constant calls (about once per
minute) from numbers such as "1" and "++++" and can't find anything in
settings, nor any documentation as to how to turn this off. This
happens whether I am connected to a SIP provider or not.
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
_______________________________________________
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
--
Sincerely,

Russell Treleaven
sip:***@sip.bunnykick.ca;transport=tcp
Robert Phair
2018-08-15 20:54:08 UTC
Permalink
thanks Russell... then I guess it is moving to a new house, new
broadband router & Internet connection that caused the change.  I don't
think this SIP connection is a hacking target but there may be rogue
software on other computers here.  I'll change over to TCP if possible
and see if that prevents the problem. thanks /robert
Post by Russell Treleaven
https://en.wikipedia.org/wiki/Network_address_translation#Methods_of_translation
If you are using UDP for signalling its easier to get through the firewall.
The hacker can spoof his source address and port address to appear as
your ITSP.
A UDP state-full pinhole is typically just kept open by a timer.
Your outbound UDP packet creates a pinhole and it is kept open by a
timer of $n seconds which is reset by any packet sent or received that
match the pinhole.
The hacker does not need to get any response from you to make your
phone ring.
A TCP state-full pinhole can be a bit more sophisticated because it
can use the connection establishment and connection termination
features of TCP to be smarter about establishing and destroying the
pinhole.
With TCP its harder for hacker to spoof his source address as the TCP
handshake
https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment
must take place before the INVITE can make it up the network stack to
your sip user agent.
Robert it could be...
-your edge device is using a less restrictive form of nat.
-or the hacker is spoofing their source address and source port to
appear like your ITSP
-or the attack is coming from within your network
-or you have inbound rules on your edge device
-something else I have not thought of
Suggest you use TCP if your ITSP supports it.
What should we do if we see this problem _without_ ever having
created any firewall rules?  I am seeing this myself with a
generic setup: default settings with one registered SIP provider
having "1000" as an extension.  Incoming calls at 1 minute
intervals from "1000" in place of the "1" and "++++" in original
report.
I've had 4.1.1 installed (on Ubuntu 18.04) for a couple weeks now,
but only saw this problem after my first incoming call was
suggesting.  Note the problem has gone away after restarting
Linphone a couple of times (once wasn't enough).
Post by Russell Treleaven
Sounds like you have created inbound firewall rules. For your
usage model those usually not required.
Would explain more but typing with one thumb.
When linphone is running, I am getting constant calls (about once per
minute) from numbers such as "1" and "++++" and can't find anything in
settings, nor any documentation as to how to turn this off. This
happens whether I am connected to a SIP provider or not.
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
<https://lists.nongnu.org/mailman/listinfo/linphone-developers>
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
<https://lists.nongnu.org/mailman/listinfo/linphone-developers>
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
<https://lists.nongnu.org/mailman/listinfo/linphone-developers>
--
Sincerely,
Russell Treleaven
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
Russell Treleaven
2018-08-15 21:04:05 UTC
Permalink
every reachable sip user agent is a hacking target.
thanks Russell... then I guess it is moving to a new house, new broadband
router & Internet connection that caused the change. I don't think this
SIP connection is a hacking target but there may be rogue software on other
computers here. I'll change over to TCP if possible and see if that
prevents the problem. thanks /robert
https://en.wikipedia.org/wiki/Network_address_translation#
Methods_of_translation
If you are using UDP for signalling its easier to get through the firewall.
The hacker can spoof his source address and port address to appear as your
ITSP.
A UDP state-full pinhole is typically just kept open by a timer.
Your outbound UDP packet creates a pinhole and it is kept open by a timer
of $n seconds which is reset by any packet sent or received that match the
pinhole.
The hacker does not need to get any response from you to make your phone
ring.
A TCP state-full pinhole can be a bit more sophisticated because it can
use the connection establishment and connection termination features of TCP
to be smarter about establishing and destroying the pinhole.
With TCP its harder for hacker to spoof his source address as the TCP
handshake https://en.wikipedia.org/wiki/Transmission_Control_Protocol#
Connection_establishment must take place before the INVITE can make it up
the network stack to your sip user agent.
Robert it could be...
-your edge device is using a less restrictive form of nat.
-or the hacker is spoofing their source address and source port to appear
like your ITSP
-or the attack is coming from within your network
-or you have inbound rules on your edge device
-something else I have not thought of
Suggest you use TCP if your ITSP supports it.
What should we do if we see this problem *without* ever having created
any firewall rules? I am seeing this myself with a generic setup: default
settings with one registered SIP provider having "1000" as an extension.
Incoming calls at 1 minute intervals from "1000" in place of the "1" and
"++++" in original report.
I've had 4.1.1 installed (on Ubuntu 18.04) for a couple weeks now, but
only saw this problem after my first incoming call was received. I would
problem has gone away after restarting Linphone a couple of times (once
wasn't enough).
Sounds like you have created inbound firewall rules. For your usage model
those usually not required.
Would explain more but typing with one thumb.
Post by Jason Manley
When linphone is running, I am getting constant calls (about once per
minute) from numbers such as "1" and "++++" and can't find anything in
settings, nor any documentation as to how to turn this off. This
happens whether I am connected to a SIP provider or not.
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
_______________________________________________
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
--
Sincerely,
Russell Treleaven
_______________________________________________
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
--
Sincerely,

Russell Treleaven
sip:***@sip.bunnykick.ca;transport=tcp
Jason Manley
2018-08-27 22:53:45 UTC
Permalink
Hello, just following up on this. I happened to change my settings to
use TCP instead of UDP, and restarted linphone a couple of times. I
still sometimes get the calls from 1001 ( sip:***@my-ip-address ).
Perhaps this is an issue I should take up with the voip provider (1-
voip)?
Post by Russell Treleaven
every reachable sip user agent is a hacking target.
Post by Robert Phair
thanks Russell... then I guess it is moving to a new house, new
broadband router & Internet connection that caused the change. I
don't think this SIP connection is a hacking target but there may
be rogue software on other computers here. I'll change over to TCP
if possible and see if that prevents the problem. thanks /robert
https://en.wikipedia.org/wiki/Network_address_translation#Methods_of_translation
Post by Russell Treleaven
Post by Robert Phair
Post by Russell Treleaven
If you are using UDP for signalling its easier to get through the firewall.
The hacker can spoof his source address and port address to
appear as your ITSP.
A UDP state-full pinhole is typically just kept open by a timer.
Your outbound UDP packet creates a pinhole and it is kept open by
a timer of $n seconds which is reset by any packet sent or
received that match the pinhole.
The hacker does not need to get any response from you to make
your phone ring.
A TCP state-full pinhole can be a bit more sophisticated because
it can use the connection establishment and connection
termination features of TCP to be smarter about establishing and
destroying the pinhole.
With TCP its harder for hacker to spoof his source address as the
TCP handshake
https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment
must take place before the INVITE can make it up the network
stack to your sip user agent.
Robert it could be...
-your edge device is using a less restrictive form of nat.
-or the hacker is spoofing their source address and source port
to appear like your ITSP
-or the attack is coming from within your network
-or you have inbound rules on your edge device
-something else I have not thought of
Suggest you use TCP if your ITSP supports it.
What should we do if we see this problem without ever having
created any firewall rules? I am seeing this myself with a
generic setup: default settings with one registered SIP
provider having "1000" as an extension. Incoming calls at 1
minute intervals from "1000" in place of the "1" and "++++" in
original report.
I've had 4.1.1 installed (on Ubuntu 18.04) for a couple weeks
now, but only saw this problem after my first incoming call was
was suggesting. Note the problem has gone away after
restarting Linphone a couple of times (once wasn't enough).
Post by Russell Treleaven
Sounds like you have created inbound firewall rules. For your
usage model those usually not required.
Would explain more but typing with one thumb.
On Mon, Aug 13, 2018, 10:40 PM Jason Manley <
Post by Jason Manley
When linphone is running, I am getting constant calls (about once per
minute) from numbers such as "1" and "++++" and can't find anything in
settings, nor any documentation as to how to turn this off. This
happens whether I am connected to a SIP provider or not.
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
Post by Russell Treleaven
Post by Robert Phair
Post by Russell Treleaven
Post by Russell Treleaven
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
--
Sincerely,
Russell Treleaven
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
_______________________________________________
Linphone-developers mailing list
https://lists.nongnu.org/mailman/listinfo/linphone-developers
Loading...