How to prevent DID on Asterisk from being spoof

Asterisk Asterisk Support
1

Is there a setting on Freepbx that would allow me to stop or mitigate intruders from spoofing the DID on our system.

2

a) it is not clear what you mean by “intruders spoofing the DID”

b) the FreePBX support forum is at https://community.freepbx.org

Antony.

3

This really is an issue that arises from FreePBX, with SIP, not from Asterisk, and not in the same way with ISDN. However, basically:

  1. set your firewall not to accept external traffic from anywhere that might spoof, ideally only allow your ITSP;

  2. use chan_pjisp;

  3. do not allow guest or anonymous calls.

  4. do not allow calls from unauthenticated endpoints (ITSPs don’t generally authenticate themselves) to do anything expensive without strong secondary authentication;

  5. use TLS, with common name properly verified, as this provides provider authentication - I can’t remember if Asterisk supports this;

  6. (difficult with FreePBX) use ACL on your ITSP endpoints to limit calls in context that can recognize DIDs to those from your ITSP

4

FreePBX puts all ITSPs in the same context, then uses the request URI or To header (and occasionally other means) to get a value that it calls a DID, which it uses to route them into the dialplan. The DID is normally the number the caller actually called, which is a direct in dialling number for the ITSP, but might not be for Asterisk. Whilst in theory the ITSP sends this, for single number accounts, in reality it may be a reflection of the contact URI used in the registration.

With chan_sip, there is a problem with ITSPs that can originate from many IP addresses. If you are in that situation, anyone can get into your ITSP context (from-pstn) and they could provide one of your DIDs in the request URI. chan_pjsip allows you to specify multiple source addresses, and whole networks, so you can define an endpoint that covers both directions for an ITSP, rather than having an outgoing one and using the guest one for incoming.

5

It’s pretty unclear what you want specifically because it’s not clear what your connection is to the outside world and what you exactly mean by “being spoof”. If your connection to the outside is via an VoIP provider (ITSP), it’s pretty easy to block unwanted calls and only allow calls originated by this provider:

  1. Use chan_pjsip and SIP TCP/TLS.
  2. Often VoIP-Providers don’t open TCP/TLS connections on its own, but reuse existing connections (which have been opened by the client during registration). Check, if this is given for your ITSP, too.
    If yes: Don’t allow incoming connections (from internet) at all (block all SYN-packages and only allow “established” packages for the port 5061).
  3. Use Line-Feature for the registration and allow only incoming calls containing the line parameter in the INVITE.
  4. I have a patch, which disables for the used transport in pjsip the listener completely (no listener - no connection from outside is possible at all).

Advantages of this proceeding:

  • It is guaranteed that you only get calls from your ITSP
  • It’s not necessary to configure any IP address in the package filter / firewall
  • Your ITSP may use as many different IP addresses for the SIP gateways - that’s now completely irrelevant.
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.