[VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed

Nov. 1, 2013

      I think you are on the right track.

I was reading the manual just now trying to figure out how
or where 1001 comes from. Perhaps that does not even matter.
You could make up anything.

I am just not seeing how I tell this edgemarc box to stop
allowing it yet short of using a firewall feature that this
box does not have like the newest 13.x firmware does. Maybe
it is hidden or people used the pass through rule set.

matt

On Fri, 1 Nov 2013, Paul Timmins wrote:
...
Have you tried tossing an unauthenticated call at the edgemarc from outside using a from address of 1001 at edgemarcip? looks like that's what this guy is doing.
You're ignoring his registers but you may be allowing invites from an unregistered device.
On Fri, 11/01/2013 03:33 PM, Matt?Yaklin?<myaklin at g4.net> wrote:
      They are not over lapping.
The attacker finally bit just a bit ago. I only was running
      tcpdump on port 5060 on the edgemarc but i captured the SIP
      traffic for what the attacker is doing. I wish I had setup
      more.
I blocked international via an auth code right now...
x.x.139.225 = WAN ethernet port of the Edgemarc.
I am going through this now and if anyone can help I would
      greatly appreciate it. I need to find out why this is happening.
-----------------------
      -----------------------
      -----------------------
      Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
      SUBSCRIBE, INFO
      User-Agent: eyeBeam release 3007n stamp 17816
      Cont
      <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:48.788559 176.58.68.20.10181 > x.x.139.225.5060:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      REGISTER sip:x.x.139.225 SIP/2.0
      To: <sip:1001 at x.x.139.225>
      From: <sip:1001 at x.x.139.225>;tag=e26e273f
      Via: SIP/2.0/UDP
      176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
      Call-ID: b161d8122d506908
      CSeq: 1 REGISTER
      Contact: <sip:1001 at 176.58.68.20:10181>
      Expires: 3600
      Max-Forwards: 70
      Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
      SUBSCRIBE, INFO
      User-Agent: eyeBeam release 3007n stamp 17816
      Cont
      <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:52.786472 176.58.68.20.10181 > x.x.139.225.5060:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      REGISTER sip:x.x.139.225 SIP/2.0
      To: <sip:1001 at x.x.139.225>
      From: <sip:1001 at x.x.139.225>;tag=e26e273f
      Via: SIP/2.0/UDP
      176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
      Call-ID: b161d8122d506908
      CSeq: 1 REGISTER
      Contact: <sip:1001 at 176.58.68.20:10181>
      Expires: 3600
      Max-Forwards: 70
      Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
      SUBSCRIBE, INFO
      User-Agent: eyeBeam release 3007n stamp 17816
      Cont
      <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:56.794955 176.58.68.20.10181 > x.x.139.225.5060:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      REGISTER sip:x.x.139.225 SIP/2.0
      To: <sip:1001 at x.x.139.225>
      From: <sip:1001 at x.x.139.225>;tag=e26e273f
      Via: SIP/2.0/UDP
      176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
      Call-ID: b161d8122d506908
      CSeq: 1 REGISTER
      Contact: <sip:1001 at 176.58.68.20:10181>
      Expires: 3600
      Max-Forwards: 70
      Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
      SUBSCRIBE, INFO
      User-Agent: eyeBeam release 3007n stamp 17816
      Cont
      <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:00.899198 176.58.68.20.10181 > x.x.139.225.5060:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      REGISTER sip:x.x.139.225 SIP/2.0
      To: <sip:1001 at x.x.139.225>
      From: <sip:1001 at x.x.139.225>;tag=e26e273f
      Via: SIP/2.0/UDP
      176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
      Call-ID: b161d8122d506908
      CSeq: 1 REGISTER
      Contact: <sip:1001 at 176.58.68.20:10181>
      Expires: 3600
      Max-Forwards: 70
      Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
      SUBSCRIBE, INFO
      User-Agent: eyeBeam release 3007n stamp 17816
      Cont
      <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:04.809371 176.58.68.20.10181 > x.x.139.225.5060:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      REGISTER sip:x.x.139.225 SIP/2.0
      To: <sip:1001 at x.x.139.225>
      From: <sip:1001 at x.x.139.225>;tag=e26e273f
      Via: SIP/2.0/UDP
      176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
      Call-ID: b161d8122d506908
      CSeq: 1 REGISTER
      Contact: <sip:1001 at 176.58.68.20:10181>
      Expires: 3600
      Max-Forwards: 70
      Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
      SUBSCRIBE, INFO
      User-Agent: eyeBeam release 3007n stamp 17816
      Cont
      <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:08.831073 176.58.68.20.10181 > x.x.139.225.5060:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      REGISTER sip:x.x.139.225 SIP/2.0
      To: <sip:1001 at x.x.139.225>
      From: <sip:1001 at x.x.139.225>;tag=e26e273f
      Via: SIP/2.0/UDP
      176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
      Call-ID: b161d8122d506908
      CSeq: 1 REGISTER
      Contact: <sip:1001 at 176.58.68.20:10181>
      Expires: 3600
      Max-Forwards: 70
      Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
      SUBSCRIBE, INFO
      User-Agent: eyeBeam release 3007n stamp 17816
      Cont
      <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:12.827515 176.58.68.20.10181 > x.x.139.225.5060:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      REGISTER sip:x.x.139.225 SIP/2.0
      To: <sip:1001 at x.x.139.225>
      From: <sip:1001 at x.x.139.225>;tag=e26e273f
      Via: SIP/2.0/UDP
      176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
      Call-ID: b161d8122d506908
      CSeq: 1 REGISTER
      Contact: <sip:1001 at 176.58.68.20:10181>
      Expires: 3600
      Max-Forwards: 70
      Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
      SUBSCRIBE, INFO
      User-Agent: eyeBeam release 3007n stamp 17816
      Cont
      <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:16.827669 176.58.68.20.10181 > x.x.139.225.5060:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      REGISTER sip:x.x.139.225 SIP/2.0
      To: <sip:1001 at x.x.139.225>
      From: <sip:1001 at x.x.139.225>;tag=e26e273f
      Via: SIP/2.0/UDP
      176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport
      Call-ID: b161d8122d506908
      CSeq: 1 REGISTER
      Contact: <sip:1001 at 176.58.68.20:10181>
      Expires: 3600
      Max-Forwards: 70
      Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
      SUBSCRIBE, INFO
      User-Agent: eyeBeam release 3007n stamp 17816
      Cont
      <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:19.307756 176.58.68.20.10189 > x.x.139.225.5060:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      BYE sip:14734050085 at x.x.139.225:5060 SIP/2.0
      To: <sip:14734050085 at x.x.139.225>;tag=6516fea2
      From: <sip:1001 at x.x.139.225>;tag=214bbc47
      Via: SIP/2.0/UDP
      176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport
      Call-ID: 346c8a3823657575
      CSeq: 2 BYE
      Route: <sip:14734050085 at x.x.139.225;lr>
      Contact: <sip:1001 at 176.58.68.20:10189>
      Max-Forwards: 70
      Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
      SUBSCRIBE,
      <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:19.370269 x.x.139.225.5060 > 176.58.68.20.10189:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      SIP/2.0 200 OK
      Via: SIP/2.0/UDP
      176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport=5060
      Record-Route: <sip:14734050085 at x.x.139.225;lr>
      From: <sip:1001 at x.x.139.225>;tag=214bbc47
      To: <sip:14734050085 at x.x.139.225>;tag=6516fea2
      Call-ID: 346c8a3823657575
      CSeq: 2 BYE
      Contact: <sip:14734050085 at x.x.139.225:5060>
      User-agent: fxo/1.0
      Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
      [tos 0xb8]
      19:23:31.365141 176.58.68.20.10189 > x.x.139.225.5060:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      INVITE sip:14734050088 at x.x.139.225 SIP/2.0
      To: <sip:14734050088 at x.x.139.225>
      From: <sip:1001 at x.x.139.225>;tag=d909f80a
      Via: SIP/2.0/UDP
      176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport
      Call-ID: 2b6a574f323db602
      CSeq: 1 INVITE
      Contact: <sip:1001 at 176.58.68.20:10189>
      Max-Forwards: 70
      Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
      SUBSCRIBE, INFO
      Content-Type: application/sdp
      User-Agent: eyeBeam
      <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:31.417251 x.x.139.225.5060 > 176.58.68.20.10189:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      SIP/2.0 100 Trying
      Via: SIP/2.0/UDP
      176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
      From: <sip:1001 at x.x.139.225>;tag=d909f80a
      To: <sip:14734050088 at x.x.139.225>;tag=51a346d4
      Call-ID: 2b6a574f323db602
      CSeq: 1 INVITE
      User-agent: fxo/1.0
      Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
      [tos 0xb8]
      19:23:36.793012 x.x.139.225.5060 > 176.58.68.20.10189:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      SIP/2.0 180 Ringing
      Via: SIP/2.0/UDP
      176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
      Record-Route: <sip:14734050088 at x.x.139.225;lr>
      From: <sip:1001 at x.x.139.225>;tag=d909f80a
      To: <sip:14734050088 at x.x.139.225>;tag=51a346d4
      Call-ID: 2b6a574f323db602
      CSeq: 1 INVITE
      Contact: <sip:14734050088 at x.x.139.225:5060>
      User-agent: fxo/1.0
      Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
      [tos 0xb8]
      19:23:36.833967 x.x.139.225.5060 > 176.58.68.20.10189:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      SIP/2.0 200 OK
      Via: SIP/2.0/UDP
      176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060
      Record-Route: <sip:14734050088 at x.x.139.225;lr>
      From: <sip:1001 at x.x.139.225>;tag=d909f80a
      To: <sip:14734050088 at x.x.139.225>;tag=51a346d4
      Call-ID: 2b6a574f323db602
      CSeq: 1 INVITE
      Contact: <sip:14734050088 at x.x.139.225:5060>
      User-agent: fxo/1.0
      Allow: INVITE, ACK, CANCEL, OPTIONS, BYE
      Content-Type: application/sdp
      Content-Leng
      <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
      [tos 0xb8]
      19:23:37.060875 176.58.68.20.10189 > x.x.139.225.5060:
      >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>>
      ACK sip:14734050088 at x.x.139.225:5060 SIP/2.0
      To: <sip:14734050088 at x.x.139.225>;tag=51a346d4
      From: <sip:1001 at x.x.139.225>;tag=d909f80a
      Via: SIP/2.0/UDP
      176.58.68.20:10189;branch=z9hG4bK-d87543-154025872-1--d87543-;rport
      Call-ID: 2b6a574f323db602
      CSeq: 1 ACK
      Route: <sip:14734050088 at x.x.139.225;lr>
      Contact: <sip:1001 at 176.58.68.20:10189>
      Max-Forwards: 70
      User-Agent: eyeBeam release 3007n stamp 17816
      Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
---------------
      --------------
      ------------
On Fri, 1 Nov 2013, Jay Hennigan wrote:
> On 11/1/13 12:04 PM, Matt Yaklin wrote:
      >>
      >> Approx 60-70 calls.
      >
      > If more than one overlapping you can rule out the physical FXO port.
      >
      > --
      > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
      > Impulse Internet Service - http://www.impulse.net/
      > Your local telephone and internet company - 805 884-6323 - WB6RDV
      > _______________________________________________
      > VoiceOps mailing list
      > VoiceOps at voiceops.org
      > https://puck.nether.net/mailman/listinfo/voiceops
      >
      _______________________________________________
      VoiceOps mailing list
      VoiceOps at voiceops.org
      https://puck.nether.net/mailman/listinfo/voiceops

[VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed

myaklin＠g4.net