DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
sipvicious exploits port 5060 on 2820Vn with latest firmware
- 414nsw
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
05 May 2011 14:34 #67605
by 414nsw
Replied by 414nsw on topic Re: sipvicious exploits port 5060 on 2820Vn with latest firm
As you point out there is no PBX server at the 2820Vn IP destination so why should port 5060 be responding at all as its not a PBX ??
The ISP is not stopping any traffic, the SaaS VoIP service provider (ITSP) is stopping outgoing voice traffic.
The 2820Vn is acting as a client aggregator (and does have ALL client login in details for each analogue handset), each handset or device is routed through the 2820Vn giving these dumb handsets (or other devices) an IP presence on the ITSP network.
My question still remains why is a port that is neither open nor port forwarded responding to a probe ?
How can I or the ITSP provider be confident that a hacker cannot spoof themselves as a client ??
The ISP is not stopping any traffic, the SaaS VoIP service provider (ITSP) is stopping outgoing voice traffic.
The 2820Vn is acting as a client aggregator (and does have ALL client login in details for each analogue handset), each handset or device is routed through the 2820Vn giving these dumb handsets (or other devices) an IP presence on the ITSP network.
My question still remains why is a port that is neither open nor port forwarded responding to a probe ?
How can I or the ITSP provider be confident that a hacker cannot spoof themselves as a client ??
Please Log in or Create an account to join the conversation.
- admin
- Offline
- Site Admin
Less
More
- Posts: 1723
- Thank you received: 0
05 May 2011 15:35 #67607
by admin
Becuase it is a SIP client and can receive VoIP calls to its analogue phone ports.
I don't understand what you mean; the router has no facility for storing client logins for handsets behind it!
Your question doesn't "remain" as you didn't ask it previously You issued a "warning" to other users (one which appears to be bogus so far) and have alleged a vulnerability, which you have yet to explain.
"Spoof" ? Do you mean uses someone else's SIP ID and password? That;s not "spoofing" and I don't see how it's relevant to this, nor that there is any vulnerability whatsoever.
Forum Administrator
Replied by admin on topic Re: sipvicious exploits port 5060 on 2820Vn with latest firm
As you point out there is no PBX server at the 2820Vn IP destination so why should port 5060 be responding at all as its not a PBX ??414NSW wrote:
Becuase it is a SIP client and can receive VoIP calls to its analogue phone ports.
The 2820Vn is acting as a client aggregator (and does have ALL client login in details for each analogue handset)
I don't understand what you mean; the router has no facility for storing client logins for handsets behind it!
My question still remains why is a port that is neither open nor port forwarded responding to a probe ?
Your question doesn't "remain" as you didn't ask it previously
How can I or the ITSP provider be confident that a hacker cannot spoof themselves as a client ?
"Spoof" ? Do you mean uses someone else's SIP ID and password? That;s not "spoofing" and I don't see how it's relevant to this, nor that there is any vulnerability whatsoever.
Forum Administrator
Please Log in or Create an account to join the conversation.
- 414nsw
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
09 May 2011 11:36 #67651
by 414nsw
Replied by 414nsw on topic Re: sipvicious exploits port 5060 on 2820Vn with latest firm
So all SIP clients on the internet respond to any probe on port 5060 ??
If I can't store client login's for each analogue handset, (analogue port) how do they register as a SIP client, is it magic ??
My question does remain as I asked it to the DrayTek tech suport team who have not responded since voipfone contact them directly and outlined the issue ??
http://en.wikipedia.org/wiki/Session_Initiation_Protocol
Each transaction consists of a client request that invokes a particular method or function on the server and at least one response...if I'm not running a server why is port 5060 responding to a probe as no server / client session has been established ??
http://blog.sipvicious.org/2007/11/introduction-to-svmap.html
UPDATE: Darytek tech support are now asking which commands are being used in Sipvicious to reveal the open system
If I can't store client login's for each analogue handset, (analogue port) how do they register as a SIP client, is it magic ??
My question does remain as I asked it to the DrayTek tech suport team who have not responded since voipfone contact them directly and outlined the issue ??
Each transaction consists of a client request that invokes a particular method or function on the server and at least one response...if I'm not running a server why is port 5060 responding to a probe as no server / client session has been established ??
UPDATE: Darytek tech support are now asking which commands are being used in Sipvicious to reveal the open system
Please Log in or Create an account to join the conversation.
- 414nsw
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
09 May 2011 11:40 #67652
by 414nsw
Replied by 414nsw on topic Re: sipvicious exploits port 5060 on 2820Vn with latest firm
btw it is spoofing....
"the act of one person pretending to be someone else"
http://answers.ask.com/Computers/Other/what_is_spoofing
http://www.wisegeek.com/what-is-spoofing.htm
http://www.blurtit.com/q679877.html
"the act of one person pretending to be someone else"
Please Log in or Create an account to join the conversation.
- 414nsw
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
09 May 2011 12:22 #67653
by 414nsw
Replied by 414nsw on topic Re: sipvicious exploits port 5060 on 2820Vn with latest firm
p.s. I'm not trying to be awkward / funny here - I've got a service provider that is concerned about network security and my accounts outgoing traffic has been disabled.
SIP exploits are on the rise so we have to be vigilant and check this out.
Somebody has got this wrong and I don't care who, I just want this fixed as I'm a customer of both organisations.
What is happening does not appear to be correct as far as I am concerned and with my little knowledge / experience I am going to push this issue until I'm satisfied that I have a crystal clear response, which as of yet I do not.
All I have is "its vulnerable" or "its not vulnerable".....from either side....you can imagine my concern and frustration.
UPDATE: Draytek say that no vulnerability has been identified.
SIP exploits are on the rise so we have to be vigilant and check this out.
Somebody has got this wrong and I don't care who, I just want this fixed as I'm a customer of both organisations.
What is happening does not appear to be correct as far as I am concerned and with my little knowledge / experience I am going to push this issue until I'm satisfied that I have a crystal clear response, which as of yet I do not.
All I have is "its vulnerable" or "its not vulnerable".....from either side....you can imagine my concern and frustration.
UPDATE: Draytek say that no vulnerability has been identified.
Please Log in or Create an account to join the conversation.
- admin
- Offline
- Site Admin
Less
More
- Posts: 1723
- Thank you received: 0
09 May 2011 13:29 #67654
by admin
Okay, fair enough but you used the term 'vulnerability and warned others to beware - you didn't say that was advice passed on by a third party and you're just an innocent
Quite right; VoIP theft is on the rise (although most theft is apparently from poorly secured PBXs where people use default or weak passwords like 1234).
Okay, but I'm not sure anything needs to be fixed. Yoru router is listening on Port 5060, presumably so that it can receive incoming calls. If it doesn't listen, it can't hear !
Well, I have not undetstood why.
Well, unless someone identifies a vulnerability, that is always the correct and default position and even saying "listening to 5060 is a vulnerability" is not correct unless there was an actual exploit discovered.
Forum Administrator
Replied by admin on topic Re: sipvicious exploits port 5060 on 2820Vn with latest firm
p.s. I'm not trying to be awkward / funny here - I've got a service provider that is concerned about network security and my accounts outgoing traffic has been disabled.414NSW wrote:
Okay, fair enough but you used the term 'vulnerability and warned others to beware - you didn't say that was advice passed on by a third party and you're just an innocent
SIP exploits are on the rise so we have to be vigilant and check this out.
Quite right; VoIP theft is on the rise (although most theft is apparently from poorly secured PBXs where people use default or weak passwords like 1234).
Somebody has got this wrong and I don't care who, I just want this fixed as I'm a customer of both organisations.
Okay, but I'm not sure anything needs to be fixed. Yoru router is listening on Port 5060, presumably so that it can receive incoming calls. If it doesn't listen, it can't hear !
What is happening does not appear to be correct as far as I am concerned and with my little knowledge / experience
Well, I have not undetstood why.
UPDATE: Draytek say that no vulnerability has been identified.
Well, unless someone identifies a vulnerability, that is always the correct and default position and even saying "listening to 5060 is a vulnerability" is not correct unless there was an actual exploit discovered.
Forum Administrator
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek