SIP client floods port 5060 and gets blocked

Home » Asterisk Users » SIP client floods port 5060 and gets blocked
Asterisk Users 6 Comments

Hello,

Is there any reason why an IP-phone would pounder on port 5060 ? My
firewall blocks the public IP because it thinks the remote IP is port
scanning on port 5060.

I think the phone is just registering but for some reason it does this
repeatedly in a very short time.

Oct 28 09:01:48 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip
DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48073 DF PROTO=UDP
SPT=2367 DPT=5060 LEN=676
Oct 28 09:01:49 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip
DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48074 DF PROTO=UDP
SPT=2367 DPT=5060 LEN=676
Oct 28 09:01:50 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip
DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48075 DF PROTO=UDP
SPT=2367 DPT=5060 LEN=676
Oct 28 09:01:52 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip
DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48076 DF PROTO=UDP
SPT=2367 DPT=5060 LEN=676
Oct 28 09:01:56 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip
DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48077 DF PROTO=UDP
SPT=2367 DPT=5060 LEN=676
Oct 28 09:02:00 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip
DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48078 DF PROTO=UDP
SPT=2367 DPT=5060 LEN=676
Oct 28 09:02:04 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip
DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48079 DF PROTO=UDP
SPT=2367 DPT=5060 LEN=676
Oct 28 09:02:08 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip
DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48083 DF PROTO=UDP
SPT=2367 DPT=5060 LEN=676
Oct 28 09:02:12 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip
DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48084 DF PROTO=UDP
SPT=2367 DPT=5060 LEN=676
Oct 28 09:02:16 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip
DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48085 DF PROTO=UDP
SPT=2367 DPT=5060 LEN=676
Oct 28 09:02:20 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip
DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48087 DF PROTO=UDP
SPT=2367 DPT=5060 LEN=676

Any input on this ?!

Kind regards,
Jonas.

6 thoughts on - SIP client floods port 5060 and gets blocked

  • I assume that you checked and the remote IP is a legitimate IP phone? If not, it could be an attempt to break into your system.

    If it is a legitimate IP phone, make sure that the SIP configuration is correct – if the SIP authentication fails, you can see this happening.

    href=”mailto:asterisk-users-bounces@lists.digium.com”>asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Jonas Kellens
    Sent: Thursday, October 28, 2010 12:39 AM

    Hello,

    Is there any reason why an IP-phone would pounder on port 5060 ? My firewall blocks the public IP because it thinks the remote IP is port scanning on port 5060.

    I think the phone is just registering but for some reason it does this repeatedly in a very short time.

    Oct 28 09:01:48 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48073 DF PROTO=UDP SPT=2367 DPT=5060 LEN=676
    Oct 28 09:01:49 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48074 DF PROTO=UDP SPT=2367 DPT=5060 LEN=676
    Oct 28 09:01:50 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48075 DF PROTO=UDP SPT=2367 DPT=5060 LEN=676
    Oct 28 09:01:52 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48076 DF PROTO=UDP SPT=2367 DPT=5060 LEN=676
    Oct 28 09:01:56 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48077 DF PROTO=UDP SPT=2367 DPT=5060 LEN=676
    Oct 28 09:02:00 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48078 DF PROTO=UDP SPT=2367 DPT=5060 LEN=676
    Oct 28 09:02:04 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48079 DF PROTO=UDP SPT=2367 DPT=5060 LEN=676
    Oct 28 09:02:08 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48083 DF PROTO=UDP SPT=2367 DPT=5060 LEN=676
    Oct 28 09:02:12 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48084 DF PROTO=UDP SPT=2367 DPT=5060 LEN=676
    Oct 28 09:02:16 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48085 DF PROTO=UDP SPT=2367 DPT=5060 LEN=676
    Oct 28 09:02:20 astserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=remote_ip DST=server_ip LEN=696 TOS=0x00 PREC=0x00 TTL=53 ID=48087 DF PROTO=UDP SPT=2367 DPT=5060 LEN=676

    Any input on this ?!

    Kind regards,
    Jonas.

  • 1. This is a legitimate phone, yes.
    2. Registration goes as follow : REGISTER > SIP/2.0 401 Unauthorized >
    Re-Register with Digest > 200 OK

    Regards,
    Jonas.

  • Yes, I have seen this with Snom 370s… It’s maddening. I’m going to start
    testing out the version 8.x firmware.

    – Julian