Tag: sip

16 million failed SIP registrations in 24 hours from 1 host

I recently stood up a Bicom PBXware virtual machine to do some testing. I noticed that there were a few thousand SIP registration failures a couple hours later as the box sat idle.

Today, I hopped on the box to begin some configuration for my testing environment and noticed the failed SIP registrations now sat at 16 million, or about 185/sec.

Investigating only from the dashboard, I noticed that they were all from the same IP address 167.x.x.255, which is a Digital Ocean IP. If I disable the PBXware Proxy service, it brings the failed SIP registrations to a screeching halt.

Tomorrow I’ll investigate this more. For now, I’ve disabled the PBXware Service from the web administration.

Detecting if SIP ALG is enabled on network

In trying to determine on a network that I don’t manage whether the network is “SIP Aware” (SIP ALG), I used the following method to quickly test.

Client Network

LAN192.168.1.1/24
WAN11.22.33.44
SIP Phone192.168.1.60

Remote Network

SIP Server4.49.115.30

I configured my phone to point to my linux server at 4.49.115.30 as the SIP server and started up a capture using tcpdump.

tcpdump -i ens192 -w sip_alg.pcap

I ran it for a few seconds to capture traffic from my phone.

Packet Showing Network With ALG

If the network is SIP aware and using ALG, the Contact: portion of the packet header message will show the public IP of the client’s network.

REGISTER sip:4.49.115.30:5060 SIP/2.0
Via: SIP/2.0/UDP 11.22.33.44:22501;branch=z9hG4bK738593727
From: "200" <sip:200@4.49.115.30:5060>;tag=738463962
To: "200" <sip:200@4.49.115.30:5060>
Call-ID: 0_738583021@192.168.1.60
CSeq: 1 REGISTER
Contact: <sip:200@11.22.33.44:22501>
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T33G 124.86.0.40 805e0cxxxxxx
Expires: 3600
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0

Packet Showing Network Without ALG

If the network is not SIP aware and using ALG, the Contact: portion of the packet header message will show the RFC 1918 IP address on the client’s network.

REGISTER sip:4.49.115.30:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.60:5060;branch=z9hG4bK735305753
From: "200" <sip:702200@4.49.115.30:5060>;tag=735174715
To: "200" <sip:702200@4.49.115.30:5060>
Call-ID: 0_735247007@192.168.1.60
CSeq: 1 REGISTER
Contact: <sip:200@192.168.1.60:5060>
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T33G 124.86.0.40 805e0cxxxxxx
Expires: 3600
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0

Disable SIP ALG

Here are some ways to disable SIP ALG on various devices I’ve had experience with.

Cisco ASA

ciscoasa> enable
Password:
ciscoasa# config terminal
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# no inspect sip