[Spce-user] allowed_clis not working properly

Fri Jul 16 02:48:31 EDT 2021

Hello all,

I need some help to sort this out: we have attacks mainly on Cisco SPAs that seem to use some call redirection weakness changing caller ID:

/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Redirect from UAC to '«00377630547760»:«c.voceblu.it»' intercepted - R=«sip:00377630547760 at c.voceblu.it;transport=udp» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Callee is not local - R=«sip:00377630547760 at c.voceblu.it;transport=udp» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Call to SIP Peering - R=«sip:00377630547760 at c.voceblu.it;transport=udp» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Load gws matching calling part '«sip:0691516096 at c.voceblu.it»' and called user '«00377630547760»' and called part '«sip:00377630547760 at c.voceblu.it;transport=udp»' - R=«sip:00377630547760 at c.voceblu.it;transport=udp» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting acc source-leg for uuid '«d0019f4a-285a-47ee-b7fd-46fcbdd68586»': '«d0019f4a-285a-47ee-b7fd-46fcbdd68586|0122622461|c.voceblu.it|390122622461||2682|321|||<null>|cfb|213.204.31.10|1626364769.807718||||||||||||390122622461||||||8|»' - R=«sip:00377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Rewriting acc called party '«00377630547760»' to '«377630547760»' - R=«sip:00377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting acc destination-leg for uuid '«0»': '«0|||0|00377630547760|0|00377630547760|213.204.30.51|00377630547760|c.voceblu.it|3||||||||||||377630547760|||»' - R=«sip:00377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting caller_cli_userprov/caller_domain_userprov '«0691516096»@«213.204.31.10»' for upn - R=«sip:00377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting From to '<«sip:0691516096 at 213.204.31.10»>' - R=«sip:00377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting caller_cli_userprov/caller_domain_userprov '«0691516096»@«213.204.31.10»' for upn - R=«sip:00377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting PAI to '<«sip:0691516096 at 213.204.31.10»>' - R=«sip:00377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Rewriting called party '«00377630547760»' to '«377630547760»' - R=«sip:00377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting P-Called-Party-ID '<sip:«377630547760»@«213.204.30.51»>' - R=«sip:377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting 'sip:«213.204.30.51»:«5060»' taken from D-URI as next hop after lb for PSTN call - R=«sip:377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Appending P-D-URI '«sip:127.0.0.1:5060;received=sip:213.204.30.51:5060%3blr%3btransport%3dudp»' - R=«sip:377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Forcing request via B2BUA '«sip:127.0.0.1:5080»' - R=«sip:377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Dropping local branch - R=«sip:00377630547760 at c.voceblu.it;transport=udp» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 17:59:29 centrale proxy[1748]: NOTICE: <script>: Request leaving server, M=INVITE fs='«127.0.0.1»:«5062»' du='«127.0.0.1»:«5080»' - R=«sip:00377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 18:00:42 centrale proxy[1737]: NOTICE: <script>: Redirect from UAC to '«00377630547760»:«c.voceblu.it»' intercepted - R=«sip:00377630547760 at c.voceblu.it;transport=udp» ID=«0e15e0000ef5-60f05a47-2b9db9b2-140e3760-10620bdf at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 18:00:42 centrale proxy[1737]: NOTICE: <script>: Callee is not local - R=«sip:00377630547760 at c.voceblu.it;transport=udp» ID=«0e15e0000ef5-60f05a47-2b9db9b2-140e3760-10620bdf at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 18:00:42 centrale proxy[1737]: NOTICE: <script>: Call to SIP Peering - R=«sip:00377630547760 at c.voceblu.it;transport=udp» ID=«0e15e0000ef5-60f05a47-2b9db9b2-140e3760-10620bdf at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 18:00:42 centrale proxy[1737]: NOTICE: <script>: Load gws matching calling part '«sip:0691516096 at c.voceblu.it»' and called user '«00377630547760»' and called part '«sip:00377630547760 at c.voceblu.it;transport=udp»' - R=«sip:00377630547760 at c.voceblu.it;transport=udp» ID=«0e15e0000ef5-60f05a47-2b9db9b2-140e3760-10620bdf at 127.0.0.1» UA='TELES-SBC'
/var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15 18:00:42 centrale proxy[1737]: NOTICE: <script>: Setting acc source-leg for uuid '«d0019f4a-285a-47ee-b7fd-46fcbdd68586»': '«d0019f4a-285a-47ee-b7fd-46fcbdd68586|0122622461|c.voceblu.it|390122622461||2682|321|||<null>|cfb|213.204.31.10|1626364842.837492||||||||||||390122622461||||||8|»' - R=«sip:00377630547760 at 213.204.30.51» ID=«0e15e0000ef5-60f05a47-2b9db9b2-140e3760-10620bdf at 127.0.0.1» UA='TELES-SBC'

Restricting allowed_clis does not seem to solve the problem

allowed_clis	Allowed CLIs for outbound calls	390122622461

Any suggestion on how to block / solve the problem, please?

Thanks

Stefano

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20210716/271ee500/attachment-0001.html>