Get access to free VOIP training. Sign up below.



Is your Polycom Phone under attack?

Anyone that has worked in telecom long enough has been hit by a SIP scanner at some point in time.

For people in NOC / Support teams, they often have a customer open a ticket where the call goes like this:

Caller : “My phone is randomly ringing and will not stop.”

Tech Support : “Let me look at the logs.”

Tech Support reviews the logs, while the customer enjoys hold music that isn’t even fit for an elevator. 

10 minutes later

Tech Support : “I’m happy to report that we are not sending any calls to your device during that time. Your ticket number is 222444555, have a great day”

A few days later the caller is back on the phone. They are furious as the issue is still happening. The support team doesn’t see the call in the logs, as it didn’t traverse through the VoIP providers core.

Thankfully for those with Polycom phones, you can make a change to the device’s XML file to block unsolicited INVITES.

All you need is this:

< voIpProt.SIP.requestValidation.1.request=”INVITE” voIpProt.SIP.requestValidation.1.method=”source”/>

Once applied, if the phone receives an INVITE from a device other than the IP of reg.1.server.address, it will reject the request with a SIP 400 BAD REQUEST.

Now instead of the user experiencing a phone that rings non-stop, they see and hear nothing.

Bad Guy – Blocked!

 

Research: I tested this with a VVX 500 (5.2 software)  and a SIP testing tool know as SIPP. I sent over 50 calls per second to the device while it was on an active call. During the active call I did not experience any audio issues.

When the call was disconnected, I did experience a phone that acted “slower” than normal to return to the home screen. Going off hook also introduced about a 1 second delay before presenting dial tone.

 

 

 

 

 

 

 

 

3 thoughts on “Is your Polycom Phone under attack?

  1. Hi Keith, I have exactly this issue but when attempting your suggested fix (albeit with a VVX410), when I attempt to amend the cfg file with your code line, my XML editor gives “Name Error – The ‘=’ character, hexadecimal 0x3D, cannot be included in a name”. I can get a separate attribute of INVITE for the first part, when using it as a separate line item but the 2nd part ‘method=”source”/’ will not insert.
    I am completely new to this so any thoughts would be gratefully received. All the best, Martyn

  2. Keith, they say ignorance is bliss but in this case not for me!!! Anyway, have solved the coding and just waiting to see if ghost calls continue. Thanks for the blog, Martyn

  3. Hello Keith,

    Thank you for doing these researches, those are very helpful, your way of explaining is awesome, I have one question, I have Polycom phone, besides using Mirrored/Spanned Port on Switch is there a way to capture packets from Polycom phone Just like Cisco’s PC port can be configured to be mirrored or spanned to capture packets.

    Regards,
    Ronak

Comments are closed.