Anonymous SIP Calls
We have a FreePBX-12 / Asterisk-12 setup that supports about 24
extensions, most internal Snom870s but six or so external (Jitsi-2.8). we use TLS and SRTP everywhere on our side of the fence. The server host is a dedicated atom(tm) box using the FreePBX distro (CentOS-6.x)
and is up-to-date. Registrations require very long random passwords and registrable devices are further restricted by netblock filters. We have the usual firewall and fail2ban intrusion prevention and detection set-ups in place.
Our connection to the rest of the world is via PSTN.
We do our own DNS, both forward and reverse. We have NAPTR and SRV
RRs for SIP and SIPS.
That is the environment. Now for the questions.
Can I safely configure FreePBX/Asterisk to allow people to call us directly via SIP? In other words, sip://something@harte-lyne.ca would reach us and ring internally as if someone had called our main office number via PSTN. Does it make sense to do so?
I am not talking about routing our main number through a SIP trunk provider. We will remain on PSTN for the foreseeable future. But I
am curious as to whether or not it it worthwhile to allow others who have the capability to simply call us via SIP rather than over PSTN. And if we do allow it what are the caveats and how does one actually configure Asterisk to do it?
I have read a number of blogs, sections of the Definitive Asterisk book and mailing list archived posts respecting anonymous SIP calls. But I have to say these leave me rather more confused than informed. Virtually all sources advise against accepting any anonymous incoming SIP calls whatsoever. The few that do not absolutely advise against do not give much guidance in how to handle incoming calls. And frankly, I have only a dim idea how an incoming SIP call should be handled from a theoretical point of view.
Any guidance would be welcome.
7 thoughts on - Anonymous SIP Calls
You have to consider whether you really want “anonymous” calls, or you just want to enable SIP calls from trusted companies/partners. The latter means setting up routes to these companies and (ideally) registration between peers.
If you really want anonymous calls, then you will have to setup your dialplan with a guest/anonymous context for the calls to drop into. Once they arrive in that context you can route them anywhere else in your dialplan based on rules you setup. To help understand how this works, set verbose up to 10 in the Asterisk CLI and then call into your PBX using a SIP phone (without registration) . You’ll quickly see how it works.
The bigger concern here is security. Hackers will have a field day with an unsecured SIP connection. You will want to add some security on and around your Asterisk server. Take a look at http://www.voip-info.org/wiki/view/Asterisk+security for suggestions.
To be conservative, assume someone WILL find a hole in your dialplan and attempt to commit fraud (i.e. rack up charges on your phone system). You will want to add security to your asterisk server which detects this fraud and disconnects the callers. There’s a great video of an Astricon attendee explaining how callers racked up $100,000 in charges in one weekend.
This is what I am trying to get a handle on. It seemed to me that the promise of VOIP was essentially that one could use the Internet as a replacement for the PSTN directly, providing that ones callers/callees were also directly connected via VOIP. SIP providers I had considered a necessary transition to act as gateways between PSTN dialing and VOIP until VOIP replaced PSTN virtually entirely if not completely.
That is why we are on Asterisk. We had to replace our old keyed system and the thought was that we might as well get ready for VOIP
even if we planned to stay on PSTN for the foreseeable future.
However, the overwhelming evidence I find is that one simply does not employ VOIP in the same way that PSTN works. Actually, I have put that backwards. What I have discovered is that the most commonly recommended method is to switch from a Telco to A SIP provider and continue in a manner similar to the former set-up. External calls all have to travel through a third party provider.
One does not accept incoming VOIP calls from just everyone, apparently. One only accepts VOIP calls from known correspondents. I
am not clear why this is so other than vague warnings respecting
(admittedly real and serious) security issues.
Even limiting VOIP to known correspondents one is ultimately trusting that they themselves are secured sufficiently to prevent unauthorised access to your systems through theirs. And that seems a bit of a stretch by way of rationalisation to me.
Also I do not understand is why the same issues do not exist from incoming calls via PSTN.
I somewhat understand the process of getting devices to register and authenticate to obtain access to our outgoing routes. What is it about incoming SIP calls destined to our internal users that make those calls so dangerous? Why cannot incoming anonymous SIP calls not be treated exactly as incoming PSTN calls (other than PSTN have to go though DAHDI to turn them into digital VOIP calls). What is it that prevents them from being blocked from gatewaying through to our PSTN
lines?
Please forgive my abysmal ignorance on this matter. Perhaps I have been down in the weeds too long getting our internal FreePBX system working to see what is obvious to others. I have been going theough the Asticon Videos on security and have or already had implemented most of the suggestions: Outbound LD secured by pins and allowed only during work hours; IPTABLES rules and fail2ban checks; Separation of voice and data network segments and addresses; Private IP for VOIP
desk-sets and internal provisioning; and so forth.
However, I still have the sense that I am just not getting it. What am I missing?
To answer your first question, what you refer to as the PSTN is also quite dangerous. There is a lot of fraud going on over analog lines – usually hackers try to find an outside line by calling in to a PBX and trying lots of digits. or, in some cases fooling a naive user to forward them to an outside line (claiming to be Bell), etc. As for VoIP, even a beginner can try 100000 PBX’s with 100000 dialout codes in a matter of hours. So because it’s easier it becomes more popular. (There was a an article in the Globe and Mail a few years ago about this – one Toronto company lost a lot of money because someone called in saying it was Bell Canada and their receptionist forward the technician to a “diagnostic number”…which was 9XXXXX and surprise they got an outside line). Since’ you’re in Hamilton I figure this might ring a bell…:)
A lot of the value from what you refer to as the PSTN is really just a bridging point, and a massive directory (i.e. phone numbers). But their role is changing and someday they may be little more than the equivalent of root DNS servers. But for now they are still the major interconnect for ITSP’s to legacy/TDM customers.
As for security and using fail2ban, I hope you read this:
http://forums.asterisk.org/viewtopic.php?p9984
Fail2ban is not really security…but it’s certainly better than nothing.
What you might be missing is that VoIP is the wild west of fraud. It’s easy, and there are lots of holes in SIP, Asterisk, FreePBX, etc! Do a search on FreePBX security flaws and you’ll find that hackers discovered a massive hole last summer exposing systems to toll fraud. This is big business for hackers and a single breach can earn them $10,000 to $100,000 (or more) -not bad for 1 day of work, and you the SIP customer are on the hook for that bill. Major ITSP are not likely to forgive your bill just because you got hacked. It’s your responsibility to secure your system. And if you haven’t you might get a whopper of a bill.
There are working groups, industry groups, etc. dedicated to VoIP security. They exist for a reason – this is a HUGE problem. It’s easy to get over confident and a mistep in security can cost you your job and your company a small fortune.
James,
I’m a systems and telecom professional with experience going back more than thirty years, to the days of teletype, current loop, POTS (2600hz signalling anyone?) and echo cancellation via analog level control and hybrid balance.
Your read of the intent of the VOIP/SIP design correctly. The intent WAS to make making connections between endpoints as easy as using a browser.
Unfortunately, setting up ALL of the infrastructure, not JUST the registration/switching points (Asterisk/Kamailiao/Freeswitch), can be quite daunting… In general, simple DNS is beyond most and the necessary specialized (and they aren’t That SPECIAL) SRV records make most systems admins run for the hills these days.
When we see a statement regarding consideration of allowing anonymous calls, we seeing someone who is (rightly) concerned about fraudulent use of an expensive resource… PSTN
interconnect. In the intended vision, that would be a “don’t care” scenario, because the PSTN interconnect wouldn’t exist, but it does and it’s billed by it’s use making it expensive.
In theory, E164 would have take up closer to that ideal. Asterisk has hooks and connections to use it and it’s own, competing directory mechanism, DUNDi. Let’s make special note of a word I used in that last sentence… Competing. Is DUNDi better? I don’t know and I’m fairly certain I just touched off a debate on the topic. But I do know that when things start competing/contending, people do a few things:
1.) They take sides and fragment things
2.) The sit on the sidelines and wait for things to settle out
In my experience, this has a tendency to bring things to a halt.
Add to this, most of this tech is really, really only useful to businesses. I give my skills to people who need it (Family, friends my old gray haired mother-in-law). Businesses are in the business of making money and if they want the use of my skills, they get to pay me. No one I know will perform this type of thing for free for a business and we all compete for the limited pool of resource that business is willing to offer. What I have to offer is the “tricks of the trade” I’ve garnered over a lifetime career. There was a time when systems admins freely swapped these tips, tricks and techniques (for the best example see the old Novell Users FAQ). As I mentioned before, we who know how to install and maintain VOIP systems are now competing and the dollars come hard, so there seems (at least in the areana of VOIP) less willingness to do this. Oddly, VOIP seems to be more cut throat that any other sector of IT.
Just my experience and I’m sticking to it… and wishing it weren’t so and that unicorns really existed.
Because on the whole most people don’t *want* to receive calls from random strangers 🙂
Others have already written far more eloquently than I about the security implications, but I think there are other factors at play here.
One of the principal benefits E.164 brought to the table was the ability to ‘bypass’ the telco (and their call charges) and route the call direct to the desired endpoint over our respective internet connections. But the cost of making calls via the PSTN has reduced to a point where the cost of the call is no longer a significant factor in whether to place the call. Think back even a few years: the cost of calling another country could easily rise above 1 (GBP/USD/whatever) per minute. Now, with the exception of a few far-flung locations, there are very few destinations to which calls are even a fifth of that cost.
Calls that come via the PSTN are subject to some sort of regulation. Bonafide marketing companies are obliged to screen their calls through the TPS (in the UK – I presume there’s a similar ‘do not call’ screening process in other countries). It’s not perfect (international marketers aren’t effectively covered, for example), but it is marginally better than a total free for all.
As for solutions, I think that for direct SIP-to-SIP calling to gain the traction originally promised, we need to get to the same level of incoming call control as we have with spam filtering on email. So there will need to be organisations running distributed RBLs similar to (for example) Spamhaus which SIP servers can query in real time to check not just for hack attempts, but also those SIP servers from which unsolicited marketing calls have originated, etc.
In summary:
1) PSTN calls are now /cheap enough/ that the financial benefits of direct SIP-to-SIP calls for most users are negligible.
2) When the cost of calls falls to (effectively) zero, the principal beneficiaries are fraudsters and telemarketers, and most people would rather not deal with either group.
3) Lack of effective protection – both technical and regulatory –
against SIP-to-SIP misuse (not just fraud, but unsolicited callers, etc.)
Kind regards,
Chris
Hi James,
Fortunately, your theory about common “run for dollars” is false with many contra-examples. 🙂
jh
———- Původní zpráva ———-
Od: Bruce Ferrell
Komu: asterisk-users@lists.digium.com Datum: 28. 3. 2015 0:17:54
Předmět: Re: [asterisk-users] Anonymous SIP calls
“James,
I’m a systems and telecom professional with experience going back more than thirty years, to the days of teletype, current loop, POTS (2600hz signalling anyone?) and echo cancellation via analog level control and hybrid balance.
Your read of the intent of the VOIP/SIP design correctly. The intent WAS to make making connections between endpoints as easy as using a browser.
Unfortunately, setting up ALL of the infrastructure, not JUST the registration/switching points (Asterisk/Kamailiao/Freeswitch), can be quite daunting… In general, simple DNS is beyond most and the necessary specialized (and they aren’t That SPECIAL) SRV
records make most systems admins run for the hills these days. When we see a statement regarding consideration of allowing anonymous calls, we seeing someone who is (rightly) concerned about fraudulent use of an expensive resource… PSTN
interconnect. In the intended vision, that would be a “don’t care” scenario, because the PSTN interconnect wouldn’t exist, but it does and it’s billed by it’s use making it expensive.
In theory, E164 would have take up closer to that ideal. Asterisk has hooks and connections to use it and it’s own, competing directory mechanism, DUNDi. Let’s make special note of a word I used in that last sentence… Competing. Is DUNDi better? I don’
t know and I’m fairly certain I just touched off a debate on the topic. But I do know that when things start competing/contending, people do a few things:
1.) They take sides and fragment things
2.) The sit on the sidelines and wait for things to settle out
In my experience, this has a tendency to bring things to a halt.
Add to this, most of this tech is really, really only useful to businesses. I give my skills to people who need it (Family, friends my old gray haired mother-in-law). Businesses are in the business of making money and if they want the use of my skills, they get to pay me. No one I know will perform this type of thing for free for a business and we all compete for the limited pool of resource that business is willing to offer. What I have to offer is the “tricks of the trade” I’ve garnered over a lifetime career. There was a time when systems admins freely swapped these tips, tricks and techniques
(for the best example see the old Novell Users FAQ). As I mentioned before, we who know how to install and maintain VOIP systems are now competing and the dollars come hard, so there seems (at least in the areana of VOIP) less willingness to do this. Oddly, VOIP seems to be more cut throat that any other sector of IT.
Just my experience and I’m sticking to it… and wishing it weren’t so and that unicorns really existed.
—
Some of us do allow sip from the internet, but just like for smtp email protections are in order.
I point my SRV records at dedicated sip proxies (I use kamailio) which check the INVITEd sip uri the same way my MXs check the SMTP Evelope-To addresses, and only allow INVITEs through to authorized destinations.
And when those INVITEs make it to asterisk/freeswitch or the like, the dialplan is generally not direct to phone(s), but via an IVR.
As an example, calling my email address via sip goes to an Asterisk FollowMe instance.
I also provide my clients with dedicated sip addresses which avoid the protections.
But the vast majority of the INVITEs coming to my public sip proxies are fraud attempts. My primary sip proxy has blocked over 32k fraudulent INVITEs over the last six months. And about one OPTIONS sip:100@… per hour by something calling itself “friendly-scanner”.
Then again, the number of invalid sip INVITEs per public sip destination are fewer than the number of spam/virus type SMTP attempts per unit time.
And all of the telemarking fraud I have had to deal with have come via pstn dids, not via direct sip.
A half-gig virtual works fine for such a sip proxy.
You may also want to look into getting an ISN number, check out http://freenum.org/ for the details.
-JimC