Since around December 31 when the office was closed there has been an massive increase in our data download pattern. Some 40GB over our normal usage. We were hit with massive excess fees. On examination of 5 minute data poling from our provider we noticed large blocks being downloaded. Sometimes it would last for 2 days at full download speed and sometimes just a couple of hours. Sometimes someone was in the office and sometimes not. Sometimes a whole week would go by without any extra data. Virus scans showed nothing. The only device on during some occasions was the 3cx server. I was nearly at my wits end to track this down as wireshark cant be left running for long periods (it would seem). However, today I noticed the internet light running hot on my modem and so I ran a wireshark capture on the 3cx server. I was surprised to see 1000's of sip register request coming in each second from one particular ip address. In as little as 6 minutes 25mb worth of requests were downloaded from this pleb. Thats where our data was going. When I added him to our firewall exclusion and tried to log the hits, my modem kept crashing due to the ferocity of the attack. I telephoned telstra business and they promptly escalated to level three and since have blocked him (i think). Now for the interesting bit: Around December 31, I received an email about this particular ip address saying 3cx had added to blacklist for 9999999 seconds as number of requests exceeded....... and indeed it was in the blacklist. So my question is if this guy was blacklisted, why does he keep trying? Was he maybe bypassing the blacklist. There was no evidence in the log to say he had tried again. How on earth do I stop this kind of activity? My voip provider seems reluctant to provide me with a list of ip addresses that I can allow through on port 5060. What does everyone else do? Does everyone leave the 5060 port open for anyone and deal with intrusions at the 3cx server level. Has my 3cx server been compromised in some way to allow for requests? How can i tell?