News items for tag voip - Koos van den Hout

I guess some kind of bug in the sipscanner at 193.55.30.2 got triggered by my firewalling the IP so asterisk does not 'see' the traffic. The incoming traffic is now up to 70 kilobyte/second. It is all ignored, but that is still a fair chunk of incoming bandwidth being eaten.
Update 2010-05-24 I let asterisk answer the requests for a few packets which slowed down the incoming traffic again to something reasonable. And this morning the traffic was gone which suggests somebody read my report to the security contact.

Just got in and noticed that the adsl link was particularly s-l-o-w. A tcpdump showed that there was a SIP brute-force attack going on, and with the wondershaper settings this was filling the ADSL upstream to the maximum. In the asterisk logs:

[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"607589258"<sip:607589258@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"2737039014"<sip:2737039014@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"hello"<sip:hello@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"ranger"<sip:ranger@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"shadow"<sip:shadow@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"baseball"<sip:baseball@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"donald"<sip:donald@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"harley"<sip:harley@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"hockey"<sip:hockey@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"letmein"<sip:letmein@82.95.196.202>' failed for '193.55.30.2' - No matching peer found

[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@82.95.196.202>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@82.95.196.202>' failed for '193.55.30.2' - No matching peer found

For a total of 284970 attempts. Then I updated the firewall to block this. And send out an abuse report to the ISP.

With tshark the attacks look like:

Session Initiation Protocol
    Request-Line: REGISTER sip:82.95.196.202 SIP/2.0
        Method: REGISTER
        [Resent Packet: False]
    Message Header
        Via: SIP/2.0/UDP 127.0.0.1:5091;branch=z9hG4bK-1064873464;rport
            Transport: UDP
            Sent-by Address: 127.0.0.1
            Sent-by port: 5091
            Branch: z9hG4bK-1064873464
            RPort: rport
        Content-Length: 0
        From: "instruct" <sip:instruct@82.95.196.202>
            SIP Display info: "instruct" 
            SIP from address: sip:instruct@82.95.196.202
        Accept: application/sdp
        User-Agent: friendly-scanner
        To: "instruct" <sip:instruct@82.95.196.202>
            SIP Display info: "instruct" 
            SIP to address: sip:instruct@82.95.196.202
        Contact: sip:123@1.1.1.1
            Contact Binding: sip:123@1.1.1.1
                URI: sip:123@1.1.1.1\r
                    SIP contact address: sip:123@1.1.1.1\r
        CSeq: 1 REGISTER
            Sequence Number: 1
            Method: REGISTER
        Call-ID: 3859238695
        Max-Forwards: 70

Lots of SIP attacks lately (stuff which goes on even when I'm more interested in IPv6). First near-standard SIP registration attacks from Amazon EC2, also seen by one of my asterisk installs:

[Apr 10 16:40:30] NOTICE[6890] chan_sip.c: Registration from '"02"<sip:02@xxx.xxx.xxx.xxx>' failed for '184.73.12.46' - No matching peer found
[Apr 10 16:40:30] NOTICE[6890] chan_sip.c: Registration from '"03"<sip:03@xxx.xxx.xxx.xxx>' failed for '184.73.12.46' - No matching peer found

My system wasn't the only one attacked, I saw reports everywhere, including: Amazon EC2 SIP Brute Force Attacks on Rise - VoIP Tech Chat , Amazon EC2 Flood Attacks from the Cloud - VoIP Users Conference, SIP Attacks From Amazon EC2 Going Unaddressed - SlashDot IT and SIP Brute Force Attack Originating From Amazon EC2 Hosts - Stuart Sheldon.
I changed /etc/asterisk/sip.conf to include alwaysauthreject = yes which makes SIP account enumeration impossible: the attacker can't see the difference between 'account does not exist' or 'password not valid'. This violates the SIP rfc but makes attacks a lot harder.
A lot of the articles above give one answer: Amazon EC2 network abuse does not care. Which immediately degrades the 'standing' of their network. You don't care about attacks originating from your network means lots of people won't care about anything originating from your network.

The asterisk setup with bristuff-patched zap and the qozap driver failed bigtime: a call to the internal phone failed and diverted to voicemail within 2 seconds. Back to a working mISDN version. But I can't unload the mISDN drivers correctly so it took a few reboots to get things right again.

Outgoing calls without echo are nice, but I also need incoming calls to work. According to the kernel messages I should have working echo cancellation:

[  132.157748] mISDN_dsp: Audio DSP  Rev. 1.29 (debug=0x0) EchoCancellor MG2 dtmfthreshold(100)
[  132.157753] mISDN_dsp: DSP clocks every 80 samples. This equals 1 jiffies.

Time to start testing stuff on a testserver so I don't have to reboot the home server greenblatt so often.

One good effect from the change in isdn driver: telephony sounds a lot better. This is probably because zaptel automatically enables echo cancelling:

Sep 11 20:34:38 greenblatt kernel: [ 2954.439478] Zapata Telephony Interface Registered on major 196
Sep 11 20:34:38 greenblatt kernel: [ 2954.439483] Zaptel Version: 1.4.10
Sep 11 20:34:38 greenblatt kernel: [ 2954.439484] Zaptel Echo Canceller: MG2

Today I decided to put some time in trying to use a different driver for using the openvox B200P card in the ubuntu installed asterisk in home server greenblatt. mISDN has a few stability issues in this setup (ubuntu 8.04 LTS amd64, asterisk 1.4.17 from ubuntu source recompiled for misdn support) where I can't unload the driver (instant kernel warning message and module system wedged) and sometimes after a long while the internal channel got confused and rejected calls, needing a restart of Asterisk.
So I tried the other route: the qozap driver with bristuff patches which comes with ubuntu as package zaptel-source. Configuring this driver was a bit of a puzzle. Step one: don't load ztdummy because that will confuse the channel ordering. TE / NT choice is done by the module parameter ports for the module, the bitmapped value of the TE / NT configuration. In my case I created /etc/modprobe.d/zaptel with:

 
options qozap ports=2

So the second port is switched to NT mode, which matches the jumper setup. The working samples are documented at ZaptelBRI - voip-info.org.
The qozap driver sort of works on the TE side (the side facing the phone company). Diving deeper into docs from openvox showed that the openvox cards need a slightly changed qozap driver source from http://downloads.openvox.cn/pub/drivers/bristuff/patches/. It helps to find that the version of bristuffed in Ubuntu 8.04 is probably 0.4.0.
The current state is working up to a level: I can dial numbers from the internal isdn phone to the external isdn line and I can accept calls, but trying to get dialtone from asterisk results in:

    -- Extension 's' in context 'internte' from 'xxxxxxx' does not exist.  Rejecting call on channel 0/2, span 2

which looks like the problem mentioned in Re: [Asterisk-Users] zaphfc problem: overlapdial don't work after update bristuff but that change (and a complete recompile of my asterisk package) did not do the work. Browsing the source of chan_zap shows a lot of places where it can decide to switch to 's'.

What do you get when documentation for Polycom SoundPoint IP phones suggests.. and suggests again and again you should set up an ftp account PlcmSpIp with password PlcmSpIp? Well, what do you expect other than:

Sep  1 13:12:44 greenblatt sshd[24658]: Invalid user PlcmSpIp from 202.39.75.16
Sep  1 13:12:47 greenblatt sshd[24661]: Invalid user PlcmSpIp from 220.132.192.198
Sep  1 13:12:50 greenblatt sshd[24753]: Invalid user PlcmSpIp from 220.132.192.220
Sep  1 13:12:52 greenblatt sshd[24823]: Invalid user PlcmSpIp from 202.39.75.16
Sep  1 13:12:55 greenblatt sshd[24827]: Invalid user PlcmSpIp from 202.39.75.16
Sep  1 13:12:57 greenblatt sshd[24832]: Invalid user PlcmSpIp from 220.132.192.198
Sep  1 13:13:00 greenblatt sshd[24834]: Invalid user PlcmSpIp from 220.132.192.220
Sep  1 13:13:02 greenblatt sshd[24839]: Invalid user PlcmSpIp from 220.132.192.198
Sep  1 13:13:05 greenblatt sshd[24863]: Invalid user PlcmSpIp from 202.39.75.16
Sep  1 13:13:08 greenblatt sshd[24866]: Invalid user PlcmSpIp from 220.132.192.198

I rather have phones use tftp on a local network and/or http when chances are the setup will be remote.
Update 2009-09-02: And what do I find from someone who has actually configured this for provisioning his phones: Security issue related with PlcmSpIp someone who reports an actual visit on the PlcmSpIp account.

Met de correcte frequenties voor de eerste en tweede kiestoon heb ik nu een Asterisk simulator Nederlandse telefooncentrale (voor 1995) geschreven. Dat heeft me wat over de beperkingen van Asterisk en vooral de functie WaitExten geleerd. Maar hij doet het!

After finding out the hopefully correct frequency for the old Dutch first and second dialtone in the Netherlands I tried to implement a simulator for making calls in the style of an old Dutch phone exchange (although I can't simulate the clicks and background noises.. yet). This made some downsides of the Asterisk extensions.conf 'programming' language show. But, after some grumbling and testing and testing I think I found the right way.

De tweede kiestoon is gevonden! Dankzij het museum voor communicatie en een vrijwilliger daar.

De eerste kiestoon bestond vroeger uit een combinatie van 150 Hz en 450 Hz.
De 2e kiestoon was 450 Hz bij electromechanische systemen en 425 Hz bij computerbestuurde centrales.
Bij het vervallen van de tweede kiestoon op 10-10-1995 bestonden geen electromechanische centrales meer en is de frequentie van de tweede kiestoon gebruikt voor de kiestoon.

Dus als ik dat wil nabouwen in Asterisk krijg ik iets in indications.conf als:

[nl-old]
description = Netherlands before 10-10-1995
ringcadence = 1000,4000
dial = 150+450
; second dial tone after area code
seconddial = 450
busy = 450/500,0/500
ring = 450/1000,0/4000
congestion = 450/250,0/250
info = 950/330,1400/330,1800/330,0/1000
stutter = 450/500,0/50

en moet ik Playtones(seconddial) gebruiken.
Update : En nu heb ik 2 andere meningen dat de eerste kiestoon alleen 150 Hz was.

In het kader van het Collectors*Net spelen met oude telefoons vroeg ik me af: wat was de toonhoogte van de oude 2e kiestoon in Nederland (die je ooit kreeg na het draaien van het netnummer). Weet iemand nog wat de frequentie was van die 2e kiestoon? Het wikipedia artikel over telefoontonen geeft wel een plaatje van een toon maar aangezien de gewone kiestoon daar weergegeven wordt als een 440 Hz (A) terwijl het 425 Hz is denk ik niet dat de frequentie van die E correct is.
Update 2009-05-29: Gevonden! De correcte eerste en tweede kiestoon

I did it: we now use Asterisk as home 'pbx'. I bought an OpenVox dual ISDN card via Novavox. Great company, Novavox: when it would take about a week to deliver the card they got in touch to make sure I could wait that long.

The choice for dual ISDN was because I still want to keep the outside line via KPN isdn: we are also using budgetphone but it was quite easy to find a phone number that was unreachable via budgetphone but reachable via KPN. And I want to keep using an ISDN set. So one port of the isdn card is configured as 'TE' card (terminal equipment) connected to KPN and one is configured as 'NT' card (network terminator) connected to the ISDN set. Asterisk does all the heavy lifting: outgoing call routing depending on number called and time of day. Incoming call routing, reacting to callerid and advanced answering machine.

I was looking for scriptable ways to download the call records from a fritz!box. It took some hacking, but I found it, just go to http://fritz.box/cgi-bin/webcm?getpage=../html/de/FRITZ!Box_Anrufliste.csv for the list in a usable .csv format. Works for the 5012 and 7170.

I got interested in the Collectors' Net, a network of people interested in old telephone equipment, who at one time got the idea of hooking them together using asterisk and voip links. I don't have any old telephone equipment to make available to the C*net members, but I do have some Asterisk projects for them to enjoy. So, I signed up and programmed my asterisk to route calls to the 0149- area code (A reserved area code in the Netherlands) out via C*Net after some massaging (C*Net uses enum to link the asterisk servers directly).

I'm in Paris at the Alcatel-Lucent Enterprise Forum. Lots of presentations about the future of IP telephony, how to save money with IP telephony in the current financial climate and lots of future visions involving UC (Unified Communications). Even realistic ones where people want to look at the organization first before deciding wheather UC is a good idea to spend money on.
Last year I was at the 2008 edition and an analyst told that TDM (digital intracompany telephony) had no future left. This year it isn't even mentioned anymore. IP telephony is the future and there is a move from proprietary protocols to SIP. One standard, pick the SIP PBX that does best what you want and pick the SIP phones that do what you want. For standard features (calling and being called) any standard SIP phone is good enough.
The conference center has wireless network for the forum guests with limited access: only port 80 and 443 seem to work. Good thing xs4all runs sshd on port 80 on the shell servers so I can still get somewhere and use my screens. My tip now for Internet access for road-warriors: bring a 2 meter UTP cable too. Wifi may be everywhere, but our hotel (Hotel California in Paris, makes me wonder how hard it will be to leave) offers free Internet access when you bring your own utp cable.

After the attack I saw on an asterisk server which was most likely scanning for valid user accounts to use in international dialing I am wondering if I can 'play' with users who try to abuse an asterisk setup.

For the hcc!pc gg netwerkgroep demo asterisk I scripted a sort of teaser for users trying to dial abroad:

[internationaltrick]
; not really dial an international number: play an interesting 'wrong number'

exten => _00XXXXXXXXXX.,1,Wait(5)
exten => _00XXXXXXXXXX.,n,Goto(wrongnumber,s,1)

The delay is to add confusion to how many digits it accepts (although someone using 'early dialing' could see when asterisk reports back it has seen enough digits). What the wrongnumber routine does is play a random 'wrong number' recording taken from Telephone world - International sounds & recordings so someone who tries this who is actually listening to call progress might think he is on to something and spend hours trying to find the right way.

Ok, the imap storage for asterisk voicemail works like the proverbial charm. I needed some work on the home dialplan and setup before I could test it, but I was able to leave a message to the home mailbox, seeing it stored in the voicemail imap box and retrieve and delete it using a telephone connected to the ISDN port accessing the VoicemailMain application. The access number for voicemail is now set to 0140-1233 to (sort of) stay in line with the Dutch numbering plan. There is no customer-service at 0140-1200 planned...

Inkomende gesprekken werken nu ook vanaf Budget Phone. Daarvoor was wel een beetje botte aanpak nodig: alles voor 5060/udp forwarden naar de fritz!box. Budgetphone heeft namenlijk 3 sip servers op verschillende lokaties:

koos@gosper:~$ host -t srv _sip._udp.budgetphone.nl
_sip._udp.budgetphone.nl SRV 0 0 5060 proxy.sipthor.net.
koos@gosper:~$ host -t a proxy.sipthor.net
proxy.sipthor.net has address 81.23.228.129
proxy.sipthor.net has address 85.17.186.7
proxy.sipthor.net has address 81.23.228.150

en een binnenkomend telefoongesprek kan van elk van de 3 servers komen, dus niet alleen van degene waar de SIP registratie was. Dus mijn firewall had zoiets van 'die ken ik niet' als de registratie naar een andere server gedaan was en negeerde de packets. Workaround: alle verkeer voor 5060/udp dan maar naar de fritz!box. Als ik dat zo zie is een asterisk op de routerPC die alles doorstuurt naar een fritz!box, een isdn kaart in NT-mode (zodat ik er een isdn toestel aan kan hangen) of een voip toestel aan de binnenkant op den duur toch handiger. Dan werken ook dialing rules voor regionale nummers en andere korte nummers bijvoorbeeld beter. Nummers als 112 en 18xx gaan nu nog via het vaste net (en ontlopen daarmee de vertaal-regel die er 030 voor zet) en het saldo-controle nummer van budgetphone (444) werkt nog uberhaupt niet.
Waarmee ik weer terug ben op de verbazing dat SIP+NAT uberhaupt werkt.

Ik heb een Budget Phone telefoonnummer en prepaid account aangevraagd om eens te proberen of dat een geschikte aanbieder is om onze telefonie naar toe over te zetten. Hun uitleg over installatie op de fritz!box is wat karig en we gebruiken (nog) een redelijk achterhaald model: de fritz!box 5012. We vinden het wel handig als lokale nummers in Utrecht zonder netnummer 030 gebeld kunnen worden dus was het even zoeken naar de juiste instellingen: vinkje 'Ortskennzahl verwenden' aan, bij 'Geben Sie hier Ihre Ortskennzahl ein' 30, bij 'Geben Sie hier Ihren Ortskennzahl-Prefix ein' 0 en vinkje 'Ortskennzahl-Prefix beibehalten' aan. Internationaal zoek ik een keer uit als ik daar noodzaak toe heb.

Ik heb wat gespeeld met guest SIP toegang tot een paar van de Asterisk demo projecten aan de hand van de uitleg in blyon.com: sip p2p dialing. Via SIP urls zoals sip:belspel@idefix.net is bijvoorbeeld het Asterisk belspel te bereiken zonder telefoonkosten. Werkt alleen met clients die SRV records voor SIP snappen.