Self Hosting VOIP server getting SIP attack

Hi Guys,

 

I have already open a few cases to support but not much help was provided. Which is why i am here. Here's the Infra details of our customer.

they have a self hosting VOIP in their infra. Right now they are experiencing SIP call attacks.

 

On the outgoing side, Customer request the VOIP to go out through specific IP. Hence the outbound address.


same here for Incoming.

 

i am not sure if Traffic shaping will help or not. but the current situation that we are facing is, SIP calls would be attacked.

SIP ALG has been unloaded as well.. Would anyone has any tips or suggestion?

  • Hi,

    instead of having ANY in your WAN network limit the network tot he FQDN of your SIP provider or the IP address ranges they use.

    Ian

  • Hi  

    Could you please PM me the service request number raised with support? It would help us to check the history of the case and allow us to assist you better.

  • In reply to Keyur:

    Hi Keyur,

     

    Here is one of the caseID
    9202926
    9567224

    8956841

  • In reply to rfcat_vk:

    Hi vk,

     

    we can't put WAN as ANY, because that is for anyone from the outside to call in.
    Since they do not have a dedicated Provider for the SIP. instead they are hosting the VOIP by themselves.

    FYI, this is for Video call use.

  • In reply to VSA Support:

    Hi  

    Thank you for providing service request numbers, I will check them, meanwhile could you please provide a network diagram or packet flow of SIP traffic.

  • In reply to VSA Support:

    HI  

    Is there any IPS policy applied on the WAN to LAN firewall rule because opening SIP port for ANY on WAN source can attract traffic from anywhere and port is opened to listen it will allow traffic to destination server behind the firewall.

  • In reply to Keyur:

    Hi Keyur,

     

    Unfortunately i don't have the packet flow for the SIP traffic.

    But as for the Network Diagram, you could refer below.

     

    Video Call -> L1 Switch -> Firewall -> ISP

  • In reply to Keyur:

    Hi Keyur,

     

    i just applied the IPS for this WAN to LAN rule. but our customer still saying that, they are receiving calls (SIP attack)

  • In reply to VSA Support:

    Here's the IPS settings.

     

  • In reply to VSA Support:

    Hi  

    As per my understanding, you have LAN to WAN firewall rule for Outbound SIP Connection and WAN to LAN for Inbound connection and as you have opened the connection for ANY for WAN zone, the firewall will allow the traffic, if you have specific IPs detected, you can ask your ISP to block them.

    For complete security, you have applied recommended settings in the SIP server as well or host-based security, IPS policy on LAN to WAN and WAN to LAN firewall rule in the firewall. You have to restrict the incoming traffic by specifying networks for WAN.

    Apply DOS setting for UDP flood based on your SIP traffic.

  • In reply to Keyur:

    Hi Keyur,

     

    sorry for the late reply, So far we are just dropping the attacker's IP from firewall.

     

    Keyur
    Apply DOS setting for UDP flood based on your SIP traffic.

    Are you referring to the IPS side?