How common are wide open SIP gateways?

Drew Weaver drew.weaver at
Fri Feb 5 18:26:51 UTC 2010

Eventually I'll have to get around to setting up netflow so I can detect the scanners before it becomes a problem =)

Just not a great deal of 'cohesiveness' with the current open source netflow implementations, and then all of the different Cisco gear has different caveats related to NF, so it's hard to use that as a good way to detect this sort of thing, although I'm guessing it can't be too hard to figure out which hosts are making a bunch of outbound connections to random IPs on 5060 =)


-----Original Message-----
From: David Birnbaum [mailto:davidb at] 
Sent: Friday, February 05, 2010 1:22 PM
To: Brandon Ewing
Cc: nanog at
Subject: Re: How common are wide open SIP gateways?

I should have prefaced that with "older installations" as well.  As far as we 
can see, most of the newer packages have fixed the known truck-sized holes in 
their default configurations, but given the lack of any formal framework for 
testing this stuff, even the "big" switches have been found to have security 
issues from time to time.

I have to admit I was surprised at the number of people I've run into over the 
years who unpacked Asterisk, played with a few phones, and stuck themselves on 
the Internet without any clear understanding of how exposed they are.




On Fri, 5 Feb 2010, Brandon Ewing wrote:

> On Fri, Feb 05, 2010 at 12:45:13PM -0500, David Birnbaum wrote:
>> We have noticed a lot of issues with Asterisk 1.2 and some 1.4 rollouts.
>> FreePBX had some truck-sized holes in it.
> FreePBX 2.6.0 defaults to refusing anonymous SIP calls.  If you enable
> inbound anonymous calls, it includes only the "from-trunk" context, making
> it behave like a standard incoming over over a configured trunk.  If you've
> configured FreePBX to allow outgoing calls from the trunk context, you have
> larger problems in general.
> -- 
> Brandon Ewing                                        (nicotine at

More information about the NANOG mailing list