My codec is attacked, how can I stop this?

4 October 2019

Symptom: The codec receives undesired and very frequent fake calls from weird entities, sometimes the codec even seems to be called by itself. The device may become unavailable for legitimate calls.
In fact, these are solicitations and attacks by robots, using for example the SIPVicious tool. Most often, these attacks are favored by direct exposure of the codec to the Internet without NAT: codec on a public IP address or in DMZ, or public port SIP 5060 statically redirected to the SIP port of the codec. In these cases, the codec will be quickly “spotted” by scanners and easily attacked. This exposure should be avoided unless it is impossible to do otherwise. Here are some ways to counter these attacks:

  • If the codec accesses the Internet via NAT and uses a SIP server, it is normally useless and not recommended to add a static route to the SIP port of the codec. The NAT router blocks most attacks, especially in a “restricted port” configuration.
  • If nevetherless static routes are configured through the NAT router, use non-standard values ​​for public SIP and RTP ports that are redirected to the codec, instead of 5060 and 5004 respectively. Attacks primarily target these standard ports.
  • If the codec is publicly exposed or in DMZ (not recommended), use non-standard values ​​for the local SIP and RTP ports of the codec.
  • Finally, on most AETA codecs you can enable filtering by which the codec processes incoming calls only from the SIP server on which it is registered. This can be used as additional protection even outside the vulnerable situations described above.