Asterisk Users - We are presently try to operate a hybrid GSM/Asterisk cellular basestation at the Burning Man Festival in the Nevada desert. (See http://openbts.sourceforge.net). The architecture is basically one where cell phones are presented to Asterisk as SIP users, using the IMSI as the SIP user ID for convenience. (It's running off of a wind turbine is the middle of a dust storm as my alkali-abused hands type this.) When we first got this system running, we were getting hammered with service requests from phones that people left turned on. We tried sending the magic GSM codes for "no roaming here", but some of them just kept coming back. It was like a denial of service attack. We figured out that the best way to shut those phones up was just to accept their registrations. We'd send a corresponding SIP registration to Asterisk, that would fail, but we'd report success to the GMS handset anyway so that it would think it had service and stop retrying the registration. Now we've discovered a new problem: Asterisk lets these non-existent make calls even though they are not listed as users in sip.conf. We suspect that is happening because they are all localhost connections, and therefore bypassing some kind of authentication check. These calls also show up in the CDR, but with the SIP ids of real, provisioned SIP users instead of the IMSIs of the phones that are actually making the calls. Any ideas how this is happening or how to fix it? -- David David A. Burgess Kestrel Signal Processing, Inc.
On Saturday 30 August 2008 19:15:36 David Burgess wrote:> Now we've discovered a new problem: Asterisk lets these non-existent > make calls even though they are not listed as users in sip.conf. We > suspect that is happening because they are all localhost connections, > and therefore bypassing some kind of authentication check. These > calls also show up in the CDR, but with the SIP ids of real, > provisioned SIP users instead of the IMSIs of the phones that are > actually making the calls. Any ideas how this is happening or how to > fix it?Generally, this is because your SIP users don't have passwords. Force passwords on all of your SIP devices, and alternate SIP endpoints won't be able to make calls without that corresponding user/password. The reason this happens is due to the matching sequence, where Asterisk prefers a match with no password (and where the host is dynamic) when all other searches fail to produce a match. -- Tilghman
On 31 Aug 2008, at 01:15, David Burgess wrote:> Asterisk Users - > > We are presently try to operate a hybrid GSM/Asterisk cellular > basestation at the Burning Man Festival in the Nevada desert. (See > http://openbts.sourceforge.net). The architecture is basically one > where cell phones are presented to Asterisk as SIP users, using the > IMSI as the SIP user ID for convenience. (It's running off of a wind > turbine is the middle of a dust storm as my alkali-abused hands type > this.) > > When we first got this system running, we were getting hammered with > service requests from phones that people left turned on. We tried > sending the magic GSM codes for "no roaming here", but some of them > just kept coming back. It was like a denial of service attack. We > figured out that the best way to shut those phones up was just to > accept their registrations. We'd send a corresponding SIP > registration to Asterisk, that would fail, but we'd report success to > the GMS handset anyway so that it would think it had service and stop > retrying the registration. > > Now we've discovered a new problem: Asterisk lets these non-existent > make calls even though they are not listed as users in sip.conf. We > suspect that is happening because they are all localhost connections, > and therefore bypassing some kind of authentication check. These > calls also show up in the CDR, but with the SIP ids of real, > provisioned SIP users instead of the IMSIs of the phones that are > actually making the calls. Any ideas how this is happening or how to > fix it?I'm not a SIP expert, but registration is about ensuring that the registering sip endpoint will be able to _receive_ calls so asterisk knows it is 'available' and how to route to it. In the case of an incoming call from these phones, the SIP header tells asterisk enough to help it route the traffic. Asterisk will look up the user and (as Tilghman mentioned) match them against the first password-less user. In IAX (dunno about SIP) the best thing is to add a catchall user which points to a context which rejects all calls immediately. Tim.