Strange Calls from John Doe <4000>?

You may have seen/received calls on your SIP device over the last couple of days (this isn’t limited to Trixbox, FreePBX, or A@H, by the way – this is anything that speaks SIP) with a caller ID of ‘John Doe <4000>’. This does seem to be a world first – It’s someone, or something, actively scanning the entire internet for misconfigured SIP devices. There’ve been a lot of reports of this, as well as a lot of discussion on IRC. The most important thing is that most people don’t have anything significant to worry about. The second thing is that it’s going to happen again and again, as more people come up with this idea.

It first happened to me about 3 days ago, and I didn’t think much of it at the time. As my home system is deliberately set up to be as friendly to people testing out VoIP as possible, I quite often get no-audio or wierd-callerID calls coming in to me. However,I’ve noticed a lot of people in #freepbx mentioning it too, and it’s not stopping.

So why is this new and exciting? Well, it’s the first mass SIP scan that has ever happened. Whilst SIP itself is a secure protocol (with challenge-response authentication) a lot of devices it don’t require this to ack the call. And, as it’s turned out, this can be rather annoying for anyone with one of these devices, or, with FreePBX’s ‘Allow Anonymous Incoming Calls’ switched on, and a default route that rings a phone somewhere.

(Warning: I use the word ‘he’ in this post, purely from a sexist standpoint. It could perfectly well be a woman. Sorry in advance)

What’s seems to be happening is that someone in France (from the IP address 82.234.27.188 from all the reports I’ve seen) is trying to find insecure SIP devices. They’re doing this by trying to make a call to 0033147310370, which appears to be a Fax machine or modem of some type in France. It’s a bit silly, actually, as ’00’ isn’t a valid International code in lots of places – here in Australia, for example, the international dial prefix is ‘0011’, and in the US it’s ‘011’, so it’s always going to return a 404 here, no matter even if I do have a misconfigured device.

Previous to the relatively recent proliferation of SIP devices, scanning SIP pretty much wouldn’t have bothered many people. But these days, it’s a bit harder to do this and get a useful result. A standard, old-style SIP device (eg, something big, meaty, expensive and secure, eg, a Cisco 5300) would either return, immediately, a “No Permission”, and never even attempt the call, or, proceed to make the call. By not getting a 403 request back, the person doing the scanning would know that he’s found an insecure device. The new cheap devices (eg, little ATAs), and things like FreePBX (and Trixbox) has stuffed this up. We, by default, acknowledge and accept all unknown calls coming in to the system. Depending on wether you have ‘Allow Anon’ switched on, freePBX will do one of two things. If you have it on, It’ll try to find a match in your DID’s, and if it can’t, it’ll try for a No DID/No CID route, and if you don’t have that, it’ll play ss-noservice (“I’m sorry, the number you have called is not in service”) and hang up. If you DON’T have anon switched on, it’ll accept the call, signal ‘ringing’, then then playback ss-noservice. From an automated standpoint, it looks like the call actually went through, or at least ‘something’ happened.

With the little cheap ATA’s, as long as you send a SIP INVITE to port 5060 of the machine, you can send a request to anything@the.devices.address and they’ll ring the phone attached to them. Which rings your phone, and possibly wakes you up in the middle of the night. Annoying

With freePBX, what can often happen is that people have a No DID/No CID route enabled, and allow anon switched on. So he calls in, with a destination of his french fax machine. FreePBX allows the call in, doesn’t find a DID match for his fax, and then sends it to your No DID/No CID route. Which rings your phone, and possibly wakes you up in the middle of the night. Also annoying.

If you’re using freePBX, the easy solution to stop this happening is to leave anon sip turned on, but set a DID for 0033147310370 to Core->Congestion. He can then happily try to send as many calls as he wants to your machine, and it won’t bother you, being that he’ll get a congestion right away. Hopefully, he probably won’t attempt to figure out what your machine is (being that, I assume, he knows what he’s doing, and keeps up with what’s happening in the VoIP industry). Of course, this may tip him off that you’re running Trixbox/FreePBX and attempt to play with your machine. As long as you’re running 2.1.3 you should be safe, as I’m unaware of any outstanding security issues, but that’s not saying that there’s a security issue in your Asterisk binary, or something else on your machine.

The bad news is for those people who have PAP2s, ATA486’s or even just standard SIP phones that are visible directly from the internet. They have no access controls, or time controls, and most of them don’t have any intelligence to filter this stuff out. They’re just receiving a call, and waking people up at 3am with a call from John Doe and the users aren’t able to do anything about it. You know, now would be a GREAT time to stick an Asterisk/FreePBX machine in front of it all (or, put a filter in your router to drop anything coming from 82.234.27.188).

I’m pretty excited about this – from a security standpoint, this is a new and exciting type of scanning, and I’m happy to see that the open source stuff (Asterisk, freePBX) is handling it pretty much perfectly, whilst the closed sourced things don’t seem to be handling it anywhere near as well. Another victory for the GPL 8)

Leave a Reply