Ghost Calls: Troubleshooting
Symptom
My phone is receiving calls that exhibit at least two of these symptoms:
- Display random caller ID numbers (especially 100 or 1000), weird names, or nothing
- Ring endlessly without going to voicemail
- Feature dead air (and possibly continue to ring) when answered
Applies To
- Desk phones
Resolution
For Consumer Grade Routers
Log into the router and set a port forward for port 5060 TCP/UDP to an unused IP that is outside the DHCP normal range.
If the issue persists set the local SIP port on the phone, if this for one phone it will need to be completed for the rest as the port assignments automatically change throughout the day.
For Business or Enterprise Grade Firewalls
If the phones are on a separate voice VLAN block all traffic not routed to or from the 8x8 subnets contained in the X Series Technical Requirements.
If the phones are on a flat network with no VLAN ensure inbound traffic for unestablished sessions is dropped.
Ghost Calls will not appear in Call Detail Records
Cause
Ghost calls or (SIP Vicious) is caused by an external port scan of a customer’s network typically on port 5060. As an example the port scan program sends an invite to port 5060 and if it gets a “hit” on this port the phone will respond by ringing. Once the response comes back the attacker will attempt to hijack the traffic on the phone to make calls.
Attackers can define any port range 1-65535, but in most cases these attacks will only come through port 5060.
Additional Information
- If all troubleshooting steps have been completed and the issue is persisting, the router will need to be replaced. There is an issue with the NAT security on the device
- When a router begins to fail typically the NAT will be the first thing to being experiencing issues, this can leave pinholes open through the firewall that can allow SIP Vicious traffic through to devices.
- Some routers are simply not configurable and will have no fix, such as an AT&T modem router