If there is one you take away from this post, remember this name SIP Vicious because you will meet him or in this case “IT” one day. It is fascinating to work with clients that are new to SIP trunking and its capabilities. I can safely say that no two SBC/Gateway implementations have ever been the same. When that first call goes through and connects, you can hear it in their voice almost like Christmas morning, a sigh of relief that it really works.
Then something ominous happens, what was that? Someone else is trying to call but we haven’t even put the trunk into production yet! Cool! Whenever I do an SBC implementation there is always a security discussion that happens
as a result. That wasn’t a call per se, it was a probe. What? My firewall is configured for “XYZ”, yes but all SIP signalling is performed on port 5060 and that has to be left open on the firewall in order for communications to work.
“So what do we do?”, the goods news is you installed an SBC, it has security functionality built in to block the registration request or probe. The bad news is
the requests come in from all over the planet. If you like playing “Whack a Mole” with your firewall, that game will run until the end of time and I assure you, odds are not in your favor.
To make matters worst, SIP Vicious is the easy one to identify because he announces himself:
Albeit he does so as the “friendly-scanner”, don’t kid yourself your network has been probed and others will show up. There are several ways to prevent attacks such as redirection but they are all reactive. The SBC is doing its job by preventing the connection and opening the door to toll fraud. There is another level of protection available that does not employ layer-3 and is transparent to all parties. We can discuss that solution another time. I wanted to ensure I made the proper introduction first.