Highlighted
Level 1: Cadet

SIP Dos attack

I have had problems getting hold of any technical support from telstra:

This all started   Wed 29th of April.

 

Was this helpful?

  • Yes it was, thank you
  • No, I still need help
6 REPLIES 6
Highlighted
Level 20: Director
Level 20: Director

Re: SIP Dos attack

Hi - which entries shown in the logs lead you to think you are encountering a SIP DOS attack? Are you not able to make and receive telephone calls or use any multi-media services on your Telstra WAN link ?

 

The modem will do many internal check routines -  a VoIP check to the Telstra SIP Server approximately every 10 minutes. Sometimes entries in the Arcadyan logs are duplicated showing the identical or multiple time stamps. It will also list may entries for Wi-Fi Booster which is the EasyMesh Controller module as a check to see if you have an external Telstra Wi-Fi Booster connected to your modem, either by a LAN cable or Wi-Fi. If it doesn't see a Booster it will disconnect that module. It also will monitor or scan your Wi-Fi network for other quality checks and may report back to the remote Telstra ACS Server.  

 

If you have issues connecting to the NBN, best to call Telstra for further investigations and they can confirm if you have any significant issues. 

Highlighted
Level 1: Cadet

Re: SIP Dos attack

Hello mate

There is no booster and it's repetition follows...

We have no voip box

..28.05.2020 10:07:45 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 10:10:19 WiFi_Booster-[Band Steering/Overload] MAC=10:40:F3:97:80:00 [Legacy] start.
28.05.2020 10:10:34 WiFi_Booster-(mymodem)IF[2.4G](BC:30Smiley Very Happy9:EA:1D:B9)Smiley FrustratedTA(E8:50:8B:AB:CD:A1) disconnected.
28.05.2020 10:11:13 DHCPv6: eth0 renew successfully
28.05.2020 10:15:36 WiFi_Booster-(mymodem)IF[2.4G](BC:30Smiley Very Happy9:EA:1D:B9)Smiley FrustratedTA(E8:50:8B:AB:CD:A1) connected.
28.05.2020 10:15:47 Local user 192.168.0.11 has successfully logged into GUI.
28.05.2020 10:17:06 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 10:25:11 WiFi_Booster-(mymodem)IF[5G](BC:30Smiley Very Happy9:EA:1D:B8)Smiley FrustratedTA(70:70:0D:27:28:B0) connected.
28.05.2020 10:26:26 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 10:32:14 NTP: Sync time with time server.
28.05.2020 10:35:46 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].

Highlighted
Level 24: Supreme Being
Level 24: Supreme Being

Re: SIP Dos attack

The WiFi booster is the WiFi radio transmitter in the modem. If you are having problems with WiFi devices losing there internet connection suggest you change the channel settings for each WiFi band from auto to a fixed channel. Turning of band steering in the modem"s 2.4 GHz settings might also help.

 

The modem also has a built in VOIP function. Even if no phone handset is connected the modem still checks the VOIP SIP connection about every 9 minutes.

Highlighted
Level 1: Cadet

Re: SIP Dos attack

cf4..  I appreciate your information, especially over the years.. the frequency and the continuation of ringing viop number  0755250491 which is a currumbin address.. is not a normal function.. plz just check the log files.

28.05.2020 10:15:47 Local user 192.168.0.11 has successfully logged into GUI.
28.05.2020 10:17:06 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 10:25:11 WiFi_Booster-(mymodem)IF[5G](BC:30Smiley Very Happy9:EA:1D:B8)Smiley FrustratedTA(70:70:0D:27:28:B0) connected.
28.05.2020 10:26:26 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 10:32:14 NTP: Sync time with time server.
28.05.2020 10:35:46 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 10:45:06 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 10:47:59 Local user has successfully logged out GUI.
28.05.2020 10:54:26 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 11:03:46 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 11:13:06 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 11:22:26 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 11:31:47 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 11:32:15 NTP: Sync time with time server.
28.05.2020 11:37:14 WiFi_Booster-[Prohibit Time] MAC=10:40:F3:97:80:00 Added into unfriendly station list [RE-JOIN]. duration time:3600 secs.) failed.
28.05.2020 11:37:14 WiFi_Booster-(mymodem)IF[2.4G](BC:30Smiley Very Happy9:EA:1D:B9)Smiley FrustratedTA(10:40:F3:97:80:00) connected.
28.05.2020 11:41:07 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 11:50:27 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 11:59:47 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 12:09:07 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 12:18:27 [VoIP] SIP Registered: IP-Address: 2001:8003:0F00:7204:F50F:9F48:255F:AAF2, VoIP number: +61755250491, URI[sip:[2001:8006:3520:0206:0007:E1C0:0000:000F]:5060;transport=udp].
28.05.2020 12:20:12 Local user 192.168.0.11 has successfully logged into GUI.

Highlighted
Level 24: Supreme Being
Level 24: Supreme Being

Re: SIP Dos attack

Comparing your log with mine I can see no difference between the SIP registration events. They occur every 9 minutes and 20 seconds. The only difference I can see is the phone number and the IP address.

Highlighted
Level 20: Director
Level 20: Director

Re: SIP Dos attack

Yes, same here - it's a regular 10 minute check up of the voice service associated with your NBN service. Are you saying the telephone listed is not yours and you don't live in Currumbin? It doesn't actually make an outgoing call - its a registration of an internal software event. You should see evidence of any actual telephone calls made from your service in your Telephony/Call Log screen. If any calls listed there are not made by you, then you need to contact Telstra for further investigations. 

 

You will also see other evidence of voice service modules activating within the Event log such as Crossbar, PBX and T38 (fax) entries which are null events. Telstra has customised the modem's firmware for its network. SIP is the initiation protocol used for all multi-media communications and is required for Voice set up and generally its locked down in multiple secure network layers by Telstra like Fort Knox. That said, that does not preclude companies who have not implemented correct security arrangements on their private networks from being fraudulently accessed by outside parties for unathorised telephone traffic.  

Set it & forget it

With direct debit there’s no need to give paying your bill another thought.

Avoid queuing up and never worry about late fees again.

Setup direct debit