Hi!
I had a call from a customer today saying that their SIP provider had seen a huge number of calls from certain customers modems to Chile and Barbados. The call pattern was so irregular that the provider banned calls to those countries. They had seen this pattern from other ISPs as well and all cases involved SIP agents from the old Arris TM501/502 modems. I guess hackers have found a way to use the modem as a SIP proxy so the bill comes to the unknowing customer.
I guess a new firmware could resolve the issue, but with only a handful modems left, my customer will probably swap them out for Compal D3.0 modems shortly. We have blocked this traffic in their firewall as well. Here are the details for a typical modem:
ARRIS Euro-DOCSIS 2.0 / SIP 2.0 Touchstone Telephony Modem <>
I hope this helps someone else!
/Fredrik
Hi!
The version info was stripped by the forum engine. Here it is again:
ARRIS Euro-DOCSIS 2.0 / SIP 2.0 Touchstone Telephony Modem HW_REV: 08; VENDOR: Arris Interactive, L.L.C.; BOOTR: 5.01; SW_REV: 5.2.69T.EURO.SIP; MODEL: TM501B
/Fredrik
You should apply the ACL (filters) to the MTA allowing only to accept connection on port 5060 from your SIP servers and the other way around. This is the most secure way of doing it (no matter the FW of CM). I believe that MTA interface has ifIndex at .16 so just create filters from SIP to MTA and from MTA to SIP. Your problems will be solved.
If you need any help doing it, let me know.
Br,
Janko
Hi!
Just letting port 5060 through is not enough since the RTP uses dynamic ports both for source and destination. I have not investigated further how they initiate the calls, and perhaps it is via some other back-door on another port. Luckily this customer has a PacketLogic firewall so we have no problems blocking this and any kind of traffic to the MTAs specifically. Perhaps I'll add an ACL to the modem to allow traffic only to the SIP server farm later on, but for now, the PacketLogic does the job.
My post was just a heads-up for those of you out there that have these modems and may be subject to hacking as well.
/Fredrik
v5.2.69 is pretty ancient (2009). For eMTA, it's usually best to be running fairly recent firmware to keep on top of bugs (and security problems!)
Also good idea to use private IP space for eMTA addressing. This stops attacks from the internet. And on the CMTS you can easily pop an access list on the bundle to also stop your CPE from talking to this RFC1918 address space.