Ghost Calls / SIP Scanners

This article explains the background of SIP scanning and what to do if you are receiving "Ghost Calls".

Ghost Call - Do you see missed calls from what looks like an internal extension (100,101, 1000, etc.), but you don't remember receiving them? Are you alerted for a call and cannot pick it up? Can you pick it up, but no one is on the other end? These are all symptoms of what are commonly referred to as ghost calls. These calls typically occur on home networks utilizing IP phones registered through the internet. It is not uncommon for ghost calls to occur either at an an irregular or very high frequency, but are always a nuisance. The calls are a result of a variation of SIP scanning method which seeks to compromise a VoIP system. Because this is an automated attack, with no real person on the other end, you will not actually experience audio; resulting in a ghost call. These calls occur directly from the attacker to your IP phone; unfortunately, not passing through the Sharpen network.

SIP Scanning - A system utilized for penetrating vulnerabilities in a VoIP network. It scans IP ranges for SIP endpoints such as softswitches, PBXs, or IP phones, listening on the standard SIP port, 5060. This is accomplished by sending a SIP message such as an INVITE or OPTIONS to the SIP endpoint. When an IP phone receives an INVITE, it will ring. The SIP scanner then uses the information it has received and attempts to brute force into the registered SIP server by testing sequential account numbers, user names, and passwords. Networks allowing for all inbound traffic on SIP 5060 are most susceptible to these attacks.

Why? - Attackers use this method in hopes of obtaining free access to a VoIP system capable of placing unlimited outbound calling. The attacker will then utilize this access to commit toll fraud. Toll fraud is a practice of artificially generating a high volume of international calls on expensive routes. This then results in the attackers receiving revenue from these calls.

Prevention - While the attack is frustrating, you have options to prevent it from happening by isolating the types of SIP traffic you are receiving. Isolation can occur at your ISP, Firewall/router, or phone. The options below highlight your options depending on your configuration.

If you’re using a Polycom phone, the resolution is simple, simply turn on the “VOIP Protection” setting under advanced options (Admin>Configuration>Extensions>extension in use)

Otherwise, please proceed with the manual option below.

Identify and block attacker - This method is likely only short term due to the attackers ability to change their source IP address. However, if you're in a pinch for time and have quick access to block an IP address on your firewall or router, this will get you by.
1. Use Wireshark or firewall logs to identify unwanted traffic on SIP port 5060 inbound.
2. Block traffice from identified IP address
3. Sharpen's IP ranges are subject to change. If you're troubleshooting an attacker and need to validate which IPs are safe, please reach out to SharpenCare and we can confirm the acceptable IP range to allow.
Block by User-Agent
- User-Agent identification for calls coming from the Sharpen platform will show as Fathom Voice vX.X.X. The following table shows some of the most common SIP User-Agents represented by SIP scanning tools. You can choose to block by User-Agent, or only allow specific User-Agents

sipcli	gulp
sipvicious	sipv
sip-scan	smap
sipsak	friendly-request
sundayddr	VaxIPUserAgent
friendly-scanner	VaxSIPUserAgent
iWarsip	siparmyknife
CSipSimple	Test Agent
SIVuS

3. Accept traffic from known registrar

Each IP phone maintains a registration to one of the many SIP registration points within the Sharpen network. Sharpen's SIP infrastructure is dynamic and redundant, which requires a non-static registration point for long term configuration. In this configuration, when a phone is booted, it uses the registration server defined in our distributed configuration file, and then registers to it. Should the registration point change, the file is updated and the phone is updated to then register to this new SIP server. Due to this design, accepting traffic from a known registration point has to be done in a dynamic manner. Polycom and Yealink phones have configuration options available which will only accept traffic from the currently registered to SIP server. Follow the instructions below for your respective device.
- Polycom
  1. Identify the IP address of your Polycom phone (Settings>Status>Network>TCP/IP Parameters)
  2. In a web browser, enter https://x.x.x.x (eg.. https://10.0.5.68) to navigate to your web configuration for the phone
  3. Depending on your browser, you will see a variation of a security warning. Choose to proceed to the web page
  4. Authenticate using Admin as the user, and 6311 as the password
  5. Choose Utilities>Import & Export configuration
  6. Download the requestValidation_digest_INVITE.cfg file to import
  7. Select Choose File and navigate to the downloaded file
  8. Choose Import
  9. Reboot phone
- Yealink
  1. Identify the IP address of your Polycom phone (Press OK button on the phone from the home screen)
  2. In a web browser, enter https://x.x.x.x (eg.. https://10.0.5.68) to navigate to your web configuration for the phone
  3. Depending on your browser, you will see a variation of a security warning. Choose to proceed to the web page
  4. Authenticate using admin as the user, and admin as the password
  5. Choose the Features tab
  6. Choose General Information
  7. Find the "Accept SIP Trust Server Only" parameter and set to Enabled
  8. Select Confirm
  9. Reboot phone

SharpenCare Knowledge Base

Ghost Calls / SIP Scanners

Analytics

Related content