Phantom/ghost calls to remote STUN worker

Discussion in '3CX Phone System - General' started by bbaker73, Mar 2, 2018.

Thread Status:
Not open for further replies.
  1. bbaker73

    bbaker73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    107
    Likes Received:
    19
    Just need a little understanding on a remote home worker STUN call receiving ghost "1001" calls.

    Being a single home worker on an ISP provided router/firewall, it is just set up as a STUN extension, no port forwarding, no sbc. It have been working fine for a couple of years plus this way.

    Before you suggest manual changes such as firewall restrictions or disabling direct sip in the phone web interface, I want to keep the setup simple for a home worker, but I want to understand something. If there is no port forwarding in the router to the phone, then my understanding is the ports should be dynamically open in the router, initiated by the phone contacting our PBX and registering, and those dynamic ports in the router should only listening for a response from our PBX ip address. If this is correct, then a SIP scanner from the internet should not be able to reach the phone, unless the IP is being spoofed, or perhaps there is a computer that is compromised on the local lan and the ghost call is being initiated locally. Is this correct?
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,371
    Likes Received:
    230
    If you Google "ghost calls from 1001" you'll find that you are not alone. Because your router will route anything sent to port 5060 (or whichever port your SIP device is set to use),to the device (it has told the router to do this), the phone will ring. Some devices do have an option to prevent the acknolegment of calls (ringing), from any source other than the server that has been datafilled.
     
  3. bbaker73

    bbaker73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    107
    Likes Received:
    19
    I thought normally a dynamically opened port in a router is only listening for a response from the destination specified in the packet when the port was first opened? Setting up forwarding in the router to the phone I can understand receiving the ghost calls if the port forwarding is not restricting to a specific IP.
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,371
    Likes Received:
    230
    Think Port triggering, rather than port forwarding...

    https://en.wikipedia.org/wiki/Port_triggering

    Think of the router as the doorman at an apartment building. Until Mr. Jones in apartment 5060 "tells" the doorman to begin delivering "mail" with his apartment number on it, he won't get any. Up until he is notified, the doorman assumes that apartment 5060 is empty, and will ignore any mail addressed to it. Where the "mail" originates, doesn't matter.

    You might consider making use of something like this to confirm nay open ports on your system.
    https://www.online-tech-tips.com/so...ed-network-ip-and-port-scanner-security-tool/
     
    #4 leejor, Mar 2, 2018
    Last edited: Mar 2, 2018
  5. bbaker73

    bbaker73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    107
    Likes Received:
    19
    Thanks leejor, but without port forwarding or port triggering purposely configured on a router, I thought it worked this way:

    Mr. Jones tells the doorman he is sending a letter to Mr. Smith (PBX). Doorman knows Mr. Jones solicited Mr. Smith and will deliver letters from Mr. Smith back to Mr. Jones, but not from anyone else.

    If this wasn't the case, then we should have many if not all of our home workers getting ghost calls randomly. In testing my own home office phone some time ago, as soon as I implemented port forwarding to my STUN phone (as the suggested config for remote STUN phones), I started receiving ghost calls. Turned off the forwarding and never had another one.
     
  6. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,371
    Likes Received:
    230
    It may be something specific (option, feature, flaw?) to the router (or the device), being used at that location.
     
  7. CentrexJ

    CentrexJ Member

    Joined:
    May 5, 2009
    Messages:
    388
    Likes Received:
    52
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. bbaker73

    bbaker73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    107
    Likes Received:
    19
    Be nice if those were options in the provisioning so as to not have to use a custom template. :(
     
  9. CentrexJ

    CentrexJ Member

    Joined:
    May 5, 2009
    Messages:
    388
    Likes Received:
    52
    custom templates are only bad if you have to have lots of them. winmerge works great to keep them current.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. cobaltit

    cobaltit Active Member

    Joined:
    Mar 22, 2012
    Messages:
    735
    Likes Received:
    113
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. bbaker73

    bbaker73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    107
    Likes Received:
    19
    User said it stopped and hasn't had the issue since then, so I moved on to other problems!

    Still would be nice if features.direct_ip_call_enable settable in provisioning.
     
    Frederick Marcoux likes this.
  12. Frederick Marcoux

    Joined:
    Feb 6, 2018
    Messages:
    9
    Likes Received:
    4
    Disabling Direct IP Call seems to fix the problem permanently. I just edited the template to set is that way.
     
Thread Status:
Not open for further replies.