What are VoIP Ghost Calls and How to Prevent Them

So you are very happy with your VoIP service and suddenly from nothing, your telephone starts ringing repeatedly and no one is at the other side. This is what we call a "Ghost Call". In this article, I will explain why they happen and what we can do to prevent (or at least having less of them).

What is Happening When a Ghost Call Rings?

The first thing someone has to understand is how the local network (aka LAN) connects to the Internet. When a device is plugged into a LAN, it is assigned what is called a private IP. A private IP is like any other IP but it lacks the capability to be routable through the Internet.

If you want to know a little more about the types of IP addresses. This video explains it.

There is an interesting concept called NAT. NAT is the technique that allows devices with private IPs to route information through the Internet by sharing a public IP. The NAT is handled by your router (usually the device that you connect to your cable or DSL line).

When a connection is established, there is always a source IP-port pair and a destination IP-port pair. What the NAT does is a real-time substitution of the TCP/IP header while keeping track of the relationships (as the image shows). When a packet goes out from any LAN device, the router substitutes the source IP (sometimes the port if it is not available) by the current public IP (an IP that is routable through the Internet). When a packet returns, the router reviews the destination IP and port in the NAT table and forwards the given packet to the proper LAN device. This behaviour is also called pin-hole.

If you want to know more about the NAT, the following video explains it.

So, why is important to understand this? Because although NAT is an awesome solution to share public IP, the NAT by itself lacks any security mechanism. An orphan (non-connection-related) packet that arrives at one of the ports assigned in the NAT table will be forwarded automatically to the LAN device. It is up to the LAN device to discard or accept the packet.

When an attacker finds a pinhole, the next step of the attack is starting to send INVITES hoping that one hit. But, since the INVITE is sent to an IP Phone (and not a PBX), the telephone answers it and it starts to ring. This is the ghost call.

How to Prevent a Ghost Call?

Sadly, this is something you can't prevent from your PBX. It is more of a LAN issue. The following suggestions will help to prevent (or at least reduce) this from happening:

• Change the source port to a random number. Some IP phone brands have the source port 5060 configured by default. If you are using a NAT, and the port has not been taken, then port 5060 will be used in the pinhole. 5060 is a well-known port, it is one of the first to be tried by an attacker. This won't prevent 100% a ghost call to happen, but it will make it harder. Some telephone brands can use random numbers, if your device can't select a random number by itself, just make sure you are not repeating the source port in any other IP telephone. You may want to watch this video if you want to understand more about this approach.Use a modem with a stateful firewall included. Stateful firewalls will reject packets that are considered to be orphans (from a not-established connection). If your router doesn't provide a stateful firewall, try to create rules to discard any incoming traffic different from your PBX IP.
• Use TCP (at east) or TLS. TCP and TLS (TCP+SSL) have a mechanism that discards orphan packets. This won't prevent new connections to be established, it will just stop orphan packets from being accepted. By default, the SIP protocol is configured as UDP. You may want to watch this video to understand the differences between TCP and UDP.
  
• Turn on security options in your IP Phones. Some telephone brands such as Grandstream, have security options that discard any incoming INVITE if it comes from a different source than the registered server. Although this could be the ultimate solution, if you use IP-to-IP connections (PBX-less calls), you won't be able to do them anymore.
• Deploy a local PBX. If you can, this will put a small PBX in the middle of the connections. This PBX will be a layer-7 firewall, it will be able to discard any invalid traffic. As follows:
  The local PBX won't substitute your current PBX. It literally acts as a filter (Layer-7 Firewall or Proxy). Any incoming INVITE is analyzed and discarded if it doesn't satisfy a basic set of rules such as:
  • Source IP,
  • Valid Caller ID,
  • Valid User-Agent.

Good luck!