They are not over lapping. The attacker finally bit just a bit ago. I only was running tcpdump on port 5060 on the edgemarc but i captured the SIP traffic for what the attacker is doing. I wish I had setup more. I blocked international via an auth code right now... x.x.139.225 = WAN ethernet port of the Edgemarc. I am going through this now and if anyone can help I would greatly appreciate it. I need to find out why this is happening. ----------------------- ----------------------- ----------------------- Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< 19:18:48.788559 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:52.786472 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:56.794955 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:00.899198 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:04.809371 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:08.831073 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:12.827515 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:16.827669 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:19.307756 176.58.68.20.10189 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> BYE sip:14734050085 at x.x.139.225:5060 SIP/2.0 To: <sip:14734050085 at x.x.139.225>;tag=6516fea2 From: <sip:1001 at x.x.139.225>;tag=214bbc47 Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport Call-ID: 346c8a3823657575 CSeq: 2 BYE Route: <sip:14734050085 at x.x.139.225;lr> Contact: <sip:1001 at 176.58.68.20:10189> Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:19.370269 x.x.139.225.5060 > 176.58.68.20.10189:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 200 OK Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport=5060 Record-Route: <sip:14734050085 at x.x.139.225;lr> From: <sip:1001 at x.x.139.225>;tag=214bbc47 To: <sip:14734050085 at x.x.139.225>;tag=6516fea2 Call-ID: 346c8a3823657575 CSeq: 2 BYE Contact: <sip:14734050085 at x.x.139.225:5060> User-agent: fxo/1.0 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:31.365141 176.58.68.20.10189 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> INVITE sip:14734050088 at x.x.139.225 SIP/2.0 To: <sip:14734050088 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=d909f80a Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport Call-ID: 2b6a574f323db602 CSeq: 1 INVITE Contact: <sip:1001 at 176.58.68.20:10189> Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO Content-Type: application/sdp User-Agent: eyeBeam <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:31.417251 x.x.139.225.5060 > 176.58.68.20.10189:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 100 Trying Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 From: <sip:1001 at x.x.139.225>;tag=d909f80a To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 Call-ID: 2b6a574f323db602 CSeq: 1 INVITE User-agent: fxo/1.0 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:36.793012 x.x.139.225.5060 > 176.58.68.20.10189:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 180 Ringing Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 Record-Route: <sip:14734050088 at x.x.139.225;lr> From: <sip:1001 at x.x.139.225>;tag=d909f80a To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 Call-ID: 2b6a574f323db602 CSeq: 1 INVITE Contact: <sip:14734050088 at x.x.139.225:5060> User-agent: fxo/1.0 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:36.833967 x.x.139.225.5060 > 176.58.68.20.10189:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 200 OK Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 Record-Route: <sip:14734050088 at x.x.139.225;lr> From: <sip:1001 at x.x.139.225>;tag=d909f80a To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 Call-ID: 2b6a574f323db602 CSeq: 1 INVITE Contact: <sip:14734050088 at x.x.139.225:5060> User-agent: fxo/1.0 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE Content-Type: application/sdp Content-Leng <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:37.060875 176.58.68.20.10189 > x.x.139.225.5060: >>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> ACK sip:14734050088 at x.x.139.225:5060 SIP/2.0 To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 From: <sip:1001 at x.x.139.225>;tag=d909f80a Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-154025872-1--d87543-;rport Call-ID: 2b6a574f323db602 CSeq: 1 ACK Route: <sip:14734050088 at x.x.139.225;lr> Contact: <sip:1001 at 176.58.68.20:10189> Max-Forwards: 70 User-Agent: eyeBeam release 3007n stamp 17816 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< --------------- -------------- ------------ On Fri, 1 Nov 2013, Jay Hennigan wrote:
On 11/1/13 12:04 PM, Matt Yaklin wrote:
Approx 60-70 calls.
If more than one overlapping you can rule out the physical FXO port.
-- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops