So you are very happy with your VoIP service and suddenly from nothing, your telephone starts ringing repeatedly and no one is at the other side. This is what we call a "Ghost Call". In this article, I will explain why they happen and what we can do to prevent (or at least having less of them).
The first thing someone has to understand is how the local network (aka LAN) connects to the Internet. When a device is plugged into a LAN, it is assigned what is called a private IP. A private IP is like any other IP but it lacks the capability to be routable through the Internet.
If you want to know a little more about the types of IP addresses. This video explains it.
There is an interesting concept called NAT. NAT is the technique that allows devices with private IPs to route information through the Internet by sharing a public IP. The NAT is handled by your router (usually the device that you connect to your cable or DSL line).
When a connection is established, there is always a source IP-port pair and a destination IP-port pair. What the NAT does is a real-time substitution of the TCP/IP header while keeping track of the relationships (as the image shows). When a packet goes out from any LAN device, the router substitutes the source IP (sometimes the port if it is not available) by the current public IP (an IP that is routable through the Internet). When a packet returns, the router reviews the destination IP and port in the NAT table and forwards the given packet to the proper LAN device. This behaviour is also called pin-hole.
If you want to know more about the NAT, the following video explains it.
So, why is important to understand this? Because although NAT is an awesome solution to share public IP, the NAT by itself lacks any security mechanism. An orphan (non-connection-related) packet that arrives at one of the ports assigned in the NAT table will be forwarded automatically to the LAN device. It is up to the LAN device to discard or accept the packet.
When an attacker finds a pinhole, the next step of the attack is starting to send INVITES hoping that one hit. But, since the INVITE is sent to an IP Phone (and not a PBX), the telephone answers it and it starts to ring. This is the ghost call.
Sadly, this is something you can't prevent from your PBX. It is more of a LAN issue. The following suggestions will help to prevent (or at least reduce) this from happening:
Good luck!blog comments powered by Disqus