Update: Polycom have introduced a new feature into their phone software that allows us to mitigate the symptoms of this problem. We have deployed the new options in our auto-provisioning system from 20th September 2016 for Polycom handsets. We still recommend that customers use an enterprise grade firewall to properly restrict inbound SIP traffic as this is the best protection, and may be necessary for other model handsets such as Cisco, Digium, Grandstream, SNOM and Yealink.
Over the last 6 months we've seen a massive increase in the number of customers complaining about receiving phantom calls on their SIP handsets - whether they have their own phone system or use our Hosted PBX product.
When this happens, customers raise support tickets with our support team who investigate the calls, and almost always can't see them in the call records on our system. So what are these calls, and where do they come from?
In most cases these calls are coming from a "SIP Scanner," like SIP Vicious. Scanners such as these are designed to allow security professionals to look for vulnerabilities in SIP networks - in particularly to help them identify SIP devices, active SIP extensions and find weak usernames and passwords that might allow an attacker to make phone calls as someone else.
Unfortunately like most things that can be used for good, it can also be used for evil. Hackers attempt to use these tools to find the same information. In most cases these attacks are harmless, and there is no "risk" from these scans - just a significant level of annoyance.
These scans are almost always uncovering weaknesses in the underlying NAT layer in use. In our technical opinion this is a weakness in the security implementation, and is a good reminder that NAT is not a firewall.
What can I do about it?
If you have an enterprise grade firewall, you can almost always implement security rules that protect agains this. Our standard implementation of Juniper SRX devices includes a specific set of NAT and Firewall rules that prevent these sorts of scans and attacks from being leveraged against handsets.
If you have a different firewall brand you can implement a rule set (Access Control List or ACL) that restricts SIP traffic (source/destination TCP/UDP port 5060) to our SIP IP Range (126.96.36.199/24).
Unfortunately most consumer routers (e.g. TP-Link, Netgear, DLink) do not have the smarts/functionality to do this - and even if you do implement the firewall rule the SIP ALG essentially undoes all your hard work. We recommend if you find yourself in this situation you look at upgrading your firewall.
Can you do something for me?
If you have an enterprise grade Cisco (ASA, PIX, iOS or Meraki), Juniper (SRX or NetScreen), SonicWall or Fortinet firewall, our network engineering team can provide consulting services to assist you with securing your firewall if you have trouble configuring these rules.
Real World can offer DSL, NBN and Ethernet IP customers our "Basic Internet Protect" product which implements a basic network-side stateless firewall to protect them from common attacks such as DNS amplification, NTP amplification, NETBIOS Snooping and SIP Scanning by blocking or restricting these services. It costs $5.50 per month (including GST), and it's not right for everyone - but if you aren't able to resolve the issues on your router then it's a good solution.
We also offer hosted enterprise firewall solutions for customers with more complicated firewall requirements, as well as regular security and penetration audits. If you think you need either of these things feel free to get in touch with our team and they will be more than happy to discuss your requirements with you.