[Spce-user] allowed_clis not working properly
Marco Capetta
mcapetta at sipwise.com
Fri Jul 16 05:09:39 EDT 2021
Hi Stefano,
I think to investigate the problem we need more information about the
call and more verbose logs.
Some suggestions to quickly fix the problem:
- Disable the call deflection for that subscriber (call_deflection
preference)
- Provide a more strict NCOS level in order to block all outgoing calls
to certain numbers or counties.
Regards
Marco
On 16/07/21 08:48, [ EXT ] Stefano Rogna Manassero di Costigliole wrote:
> Hello all,
>
> I need some help to sort this out: we have attacks mainly on Cisco
> SPAs that seem to use some call redirection weakness changing caller ID:
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Redirect from UAC to
> '«00377630547760»:«c.voceblu.it»' intercepted -
> R=«sip:00377630547760 at c.voceblu.it;transport=udp»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Callee is not local -
> R=«sip:00377630547760 at c.voceblu.it;transport=udp»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Call to SIP Peering -
> R=«sip:00377630547760 at c.voceblu.it;transport=udp»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Load gws matching
> calling part '«sip:0691516096 at c.voceblu.it»' and called user
> '«00377630547760»' and called part
> '«sip:00377630547760 at c.voceblu.it;transport=udp»' -
> R=«sip:00377630547760 at c.voceblu.it;transport=udp»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting acc
> source-leg for uuid '«d0019f4a-285a-47ee-b7fd-46fcbdd68586»':
> '«d0019f4a-285a-47ee-b7fd-46fcbdd68586|0122622461|c.voceblu.it|390122622461||2682|321|||<null>|cfb|213.204.31.10|1626364769.807718||||||||||||390122622461||||||8|»'
> - R=«sip:00377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Rewriting acc called
> party '«00377630547760»' to '«377630547760»' -
> R=«sip:00377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting acc
> destination-leg for uuid '«0»':
> '«0|||0|00377630547760|0|00377630547760|213.204.30.51|00377630547760|c.voceblu.it|3||||||||||||377630547760|||»'
> - R=«sip:00377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting
> caller_cli_userprov/caller_domain_userprov
> '«0691516096»@«213.204.31.10»' for upn -
> R=«sip:00377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting From to
> '<«sip:0691516096 at 213.204.31.10»>' -
> R=«sip:00377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting
> caller_cli_userprov/caller_domain_userprov
> '«0691516096»@«213.204.31.10»' for upn -
> R=«sip:00377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting PAI to
> '<«sip:0691516096 at 213.204.31.10»>' -
> R=«sip:00377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Rewriting called
> party '«00377630547760»' to '«377630547760»' -
> R=«sip:00377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting
> P-Called-Party-ID '<sip:«377630547760»@«213.204.30.51»>' -
> R=«sip:377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Setting
> 'sip:«213.204.30.51»:«5060»' taken from D-URI as next hop after lb for
> PSTN call - R=«sip:377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Appending P-D-URI
> '«sip:127.0.0.1:5060;received=sip:213.204.30.51:5060%3blr%3btransport%3dudp»'
> - R=«sip:377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Forcing request via
> B2BUA '«sip:127.0.0.1:5080»' - R=«sip:377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Dropping local branch
> - R=«sip:00377630547760 at c.voceblu.it;transport=udp»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 17:59:29 centrale proxy[1748]: NOTICE: <script>: Request leaving
> server, M=INVITE fs='«127.0.0.1»:«5062»' du='«127.0.0.1»:«5080»' -
> R=«sip:00377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f059fe-46c55b62-12e232b0-1062088f at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 18:00:42 centrale proxy[1737]: NOTICE: <script>: Redirect from UAC to
> '«00377630547760»:«c.voceblu.it»' intercepted -
> R=«sip:00377630547760 at c.voceblu.it;transport=udp»
> ID=«0e15e0000ef5-60f05a47-2b9db9b2-140e3760-10620bdf at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 18:00:42 centrale proxy[1737]: NOTICE: <script>: Callee is not local -
> R=«sip:00377630547760 at c.voceblu.it;transport=udp»
> ID=«0e15e0000ef5-60f05a47-2b9db9b2-140e3760-10620bdf at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 18:00:42 centrale proxy[1737]: NOTICE: <script>: Call to SIP Peering -
> R=«sip:00377630547760 at c.voceblu.it;transport=udp»
> ID=«0e15e0000ef5-60f05a47-2b9db9b2-140e3760-10620bdf at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 18:00:42 centrale proxy[1737]: NOTICE: <script>: Load gws matching
> calling part '«sip:0691516096 at c.voceblu.it»' and called user
> '«00377630547760»' and called part
> '«sip:00377630547760 at c.voceblu.it;transport=udp»' -
> R=«sip:00377630547760 at c.voceblu.it;transport=udp»
> ID=«0e15e0000ef5-60f05a47-2b9db9b2-140e3760-10620bdf at 127.0.0.1»
> UA='TELES-SBC'
>
> /var/log/ngcp/kamailio-proxy.log-20210715-1626365821.gz:Jul 15
> 18:00:42 centrale proxy[1737]: NOTICE: <script>: Setting acc
> source-leg for uuid '«d0019f4a-285a-47ee-b7fd-46fcbdd68586»':
> '«d0019f4a-285a-47ee-b7fd-46fcbdd68586|0122622461|c.voceblu.it|390122622461||2682|321|||<null>|cfb|213.204.31.10|1626364842.837492||||||||||||390122622461||||||8|»'
> - R=«sip:00377630547760 at 213.204.30.51»
> ID=«0e15e0000ef5-60f05a47-2b9db9b2-140e3760-10620bdf at 127.0.0.1»
> UA='TELES-SBC'
>
>
> Restricting allowed_clis does not seem to solve the problem
>
> allowed_clis Allowed CLIs for outbound calls 390122622461
>
>
> Any suggestion on how to block / solve the problem, please?
>
> Thanks
>
> Stefano
>
>
--
*Marco Capetta *
Head Of VoIP Development Team
Sipwise GmbH <http://www.sipwise.com> , Campus 21/Europaring F15
AT-2345 Brunn am Gebirge
Phone: +43(0)1 301 2044 <tel:+43130120444>
Email: mcapetta at sipwise.com <mailto:mcapetta at sipwise.com>
Website: www.sipwise.com <http://www.sipwise.com>
Particulars according Austrian Companies Code paragraph 14
"Sipwise GmbH" - Europaring F15 - 2345 Brunn am Gebirge
FN:305595f, Commercial Court Vienna, ATU64002206
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20210716/ce292aa5/attachment-0001.html>
More information about the Spce-user
mailing list