So you are very happy with your VoIP service and suddenly from nothing, your telephone starts ringing repeatedly and no one is on the other side. This is what we call a "Ghost Call". In this article, I will explain why they happen and what we can do to prevent (or at least have less of them).

What is Happening When a Ghost Call Rings?

The first thing someone has to understand is how the local network (aka LAN) connects to the Internet. When a device is plugged into a LAN, it is assigned what is called a private IP. A private IP is like any other IP but it cannot be routable through the Internet.

 There is an interesting concept called NAT. NAT is the technique that allows devices with private IPs to route information through the Internet by sharing a public IP. The NAT is handled by your router (usually the device that you connect to your cable or DSL line).

ghost calls nat

When a connection is established, there is always a source IP-port pair and a destination IP-port pair. What the NAT does is a real-time substitution of the TCP/IP header while keeping track of the relationships (as the image shows). When a packet goes out from any LAN device, the router substitutes the source IP (sometimes the port if it is not available) with the current public IP (an IP that is routable through the Internet). When a packet returns, the router reviews the destination IP and port in the NAT table and forwards the given packet to the proper LAN device. This behaviour is also called pin-hole.

So, why is important to understand this? Although NAT is an awesome solution for sharing public IP, NAT by itself lacks any security mechanism. An orphan (non-connection-related) packet that arrives at one of the ports assigned in the NAT table will be forwarded automatically to the LAN device. It is up to the LAN device to discard or accept the packet.

ghost calls hacking pinholeWhen an attacker finds a pinhole, the next step of the attack is starting to send INVITES hoping that one hits. But, since the INVITE is sent to an IP Phone (and not a PBX), the telephone answers it and it starts to ring. This is the ghost call.

How to Prevent a Ghost Call?

Sadly, this is something you can't prevent from your PBX. It is more of a LAN issue. The following suggestions will help to prevent (or at least reduce) this from happening:

  • Change the source port to a random number. Some IP phone brands have the source port 5060 configured by default. If you are using a NAT and the port has not been taken, then port 5060 will be used in the pinhole. 5060 is a well-known port, it is one of the first to be tried by an attacker. This won't prevent 100% a ghost call from happening, but it will make it harder. Some telephone brands can use random numbers, if your device can't select a random number by itself, just make sure you are not repeating the source port in any other IP telephone. You may want to watch this video if you want to understand more about this approach. Use a modem with a stateful firewall included. Stateful firewalls will reject packets that are considered to be orphans (from a not-established connection). If your router doesn't provide a stateful firewall, try to create rules to discard any incoming traffic different from your PBX IP.
  • Use TCP (at least) or TLS. TCP and TLS (TCP+SSL) have a mechanism that discards orphan packets. This won't prevent new connections from being established, it will just stop orphan packets from being accepted. By default, the SIP protocol is configured as UDP. You may want to watch this video to understand the differences between TCP and UDP.
  • Turn on security options in your IP Phones. Some telephone brands such as Grandstream, have security options that discard any incoming INVITE if it comes from a different source than the registered server. Although this could be the ultimate solution, if you use IP-to-IP connections (PBX-less calls), you won't be able to do them anymore.
  • Deploy a local PBX. If you can, this will put a small PBX in the middle of the connections. This PBX will be a layer-7 firewall, it will be able to discard any invalid traffic. As follows:
    ghost calls local pbxThe local PBX won't substitute your current PBX. It acts as a filter (Layer-7 Firewall or Proxy). Any incoming INVITE is analyzed and discarded if it doesn't satisfy a basic set of rules such as:
    • Source IP,
    • Valid Caller ID,
    • Valid User-Agent.

Good luck!

";