[kkielhofner]

Glad this is at the top. The linked Reddit thread demonstrates a common but fundamental misunderstanding of SIP.

Port 5060 is used for call control and is very low traffic. At most you may have timed OPTIONS messages but a “standard” SIP deployment is at most a handful of (small) packets per second per call setup and tear down with occasional REGISTER messages on an interval measured in seconds. Very low traffic and very low bandwidth. Obviously with more devices you get multiples of these numbers but still very low. 15 kbps is a pretty significant amount of SIP traffic.

This is most likely targeting VoIP abuse from tools like sipvicious. In a nutshell they scan the internet looking for open SIP ports. They then try to brute force credentials to place calls.

Why? Toll fraud. The scam works like this:

1) Setup an international toll charge number in some country. Let’s say it charges $5/min. For those that don’t know calls to these numbers get charged to the person placing the call from their phone company and end up on their phone bill with the amount getting paid out (less a cut) to the operator of the number.

2) Compromise a bunch of random exposed SIP implementations on the internet.

3) Place calls to your (or a partners) toll number.

4) Get paid from the toll charges.

5) Some time later the owner of the compromised system gets a huge bill depending on fraud detection systems at the carrier, how fast you could pump calls, etc.

It’s gotten so bad many VoIP providers block international calls by default and now (apparently) might be blocking 5060 traffic in some way.

This isn’t that different to what’s happened with SMTP over the years. To combat spam many last mile ISPs started blocking outbound TCP port 25 so compromised machines couldn’t directly send spam. This is where port 465/587 for SMTP “submission” came from.

[TheWoodsy]

Perfect example of one of the many SIP abuses I have personally seen here in Australia.

Don't get me started on the bajillion 3G+ modems here with default passwords.

[tinus_hn]

The real abuse of course is $5 a minute toll line. The ability to rack up that kind of charge should be opt-in, there’s basically no legitimate use case.

[devwastaken]

Not the ISP's responsibility.

[fragmede]

Yes it is. A responsible consumer ISP that's a good citizen on the Internet takes responsibility for everything that comes out of their system which includes, in practice, blocking ports for customers unless the customer calls tech support to get it unblocked. It also includes blocking outgoing DDoS traffic and kicking customers offline until they resolve the issue. And blocking spam sending bots. Unless you think keeping infected Windows PCs and rooted webcams online is a good thing.

Of course, not all ISPs do this, which is why DDoS attacks are still a thing, but the point remains, that responsible ISPs will take steps to prevent malicious traffic on the Internet from exiting their systems.

[kkielhofner]

I’d argue that a reasonable network limitation with a minimal blast ratio is responsible. For example, I use SIP over 5060 on Spectrum without issue.

Not having their network used by bots to inflict untold financial damage is being responsible.

Would you argue that implementation of BCP38 to cut down on bots used in DDoS attacks is “not the ISP’s responsibility”?

Plus, they get the abuse reports from the victims and I’m certain this traffic is a ToS violation for their customers and certainly against the CFAA and numerous other laws for the resulting theft and fraud it causes.

[kevin_thibedeau]

Block by default is fine but customers should be empowered to disable them if they need the IP service they're paying for.

[another_comment]

>>I’d argue that a reasonable network limitation with a minimal blast ratio is responsible.

I'm the OP and I agree. Across 3 Twilio phone numbers and I maybe make 4 voice calls and 10 texts a week. I've been doing this for 4 years or more.

>> For example, I use SIP over 5060 on Spectrum without issue.

As did I, until a week or so ago. Until I was cut off, without notice. I've been a Spectrum residential customer since the 1990s.

[unethical_ban]

Nah, just like port 25 outbound being blocked is shitty. How can we have a decentralized net when consumer ISPs make people call in or beg to have full network access?

Yes, do some flood detection, but the problem is that the SIP provider should be, as another commenter put, block international calls or otherwise detect/reject calls to toll systems. Who the heck uses toll numbers anymore anyway?

[kkielhofner]

"People" here being the 0.001% of the population that's interested in and capable of responsibly hosting anything. As others have noted I'm perfectly fine with someone having to make a phone call, go to a web UI, whatever to click a box with a scary warning (and potentially agree to additional terms) when they want to open their connection up. Spectrum has 32 million customers and blocking SMTP, netbios, RDP, rate limiting SIP, etc are reasonable defaults.

The alternative (today) is the literally millions of compromised PCs, IoT devices, etc that inflict incredible amounts of damage and make even more decentralizing services like CloudFlare essentially a necessity to make sure whatever you're hosting can deal with the possibility of terabits of traffic from a botnet showing up at any second (or SPAM, or VoIP fraud, etc, etc). As it stands now we have both and there is still an incredible amount of trash traffic - see other comments in this thread about people trying to host their own Asterisk instance and having it use 100% CPU just processing all of the malicious trash traffic showing up.

I mentioned blocking international calls by default in another comment. So now you need to contact your provider just to call someone in another country? Unfortunately, yes, that has been the case for many VoIP enabled systems for almost a decade now.

In NANPA (North American Numbering Plan) the international call prefix is 011. This is trivial to put behind a flag. However, after that detecting toll numbers is much more difficult because you're dealing with the entire world at that point and the numbering schemes, etc for toll numbers are all over the place. Additionally, in many countries there isn't any rhyme or reason to their toll numbering and unscrupulous network operators and jurisdictions that don't have a functioning legal system capitalize on all of this. It's been a while but I even remember some destinations in the caribbean taking advantage of having a +1 country code so not even the "international" call prefix block works in that case.

In my past life I was the CTO for a VoIP service provider with hundreds of thousands of business VoIP systems. This issue is very vast and complex while looking from the outside like yet another HN "Why don't you just do X" or "I could solve that in a weekend".

[unethical_ban]

I've been a firewall admin for a decade, I'm not entirely naive, and I am now sober.

I clearly don't work in VoIP, I only had a one year stint with call center stuff. But I am honestly asking, who uses toll numbers anymore? Why wouldn't phone companies and VoIP providers literally decide not to honor a tool that seems, to me, entirely built for scams? Are there places without Internet but with phones, in such a scenario where a toll number scheme makes sense?

Put in general terms, I am saying "don't block the network protocol, end the toll-payout protocol". It would be like us living in a system where scammers could charge you $5 each time you got caught staring at a postcard in your mailbox, and we decided to block postcards rather than stop paying the extortion.

On the broader topic of "decentralized servers being abused on the Internet" yeah I get the problem of open DNS and SMTP relays. I do assert that those services being locked down are why we only have 0.0001% engagement.

[kkielhofner]

You make a good point regarding toll numbers and the real answer is "I don't know" but they persist for whatever reasons...

I'm also not being entirely clear when I say "toll numbers". What I really mean is "high cost" numbers. You're a firewall admin, you know there's no limit to the creativity and ingenuity of scammers/fraudsters/etc with a clear monetization path. There's also traffic pumping[0], jurisdictions where the rate decks overly subsidize the cost to a "mobile" vs "landline", high-rate destinations (like Iridium), and again, various destinations with weird rate structures where (somewhat like traffic pumping) there doesn't seem to be any real justification that the billed rate aligns with the actual cost of delivering service but due to corrupt or non-functioning governments/regulators/telcos/etc they persist and are ripe for fraud.

[0] - https://www.fcc.gov/general/traffic-pumping

[denkmoon]

You buy access on a network that doesn't block those things, if you want a network that doesn't block those things.

[notatoad]

no, the ISP's responsibility is to ensure that the majority of their customers can access websites over http/s.

and if their IP blocks are getting added to "likely scammer" lists because of SIP scams originating on their network, then it's in their best interest to do something do discourage those scams. the people working to defeat scammers aren't necessarily making distinctions between port numbers.

[iatt]

The Internet (The I in ISP...) is far more than than the web. Mere HTTP/s access is suffocating, and we should not normalize this as a customer expectation.

[robocat]

However the ISP will get blamed by some victims.

[denkmoon]

Neither is dealing with spam yet they almost universally block port 25`