This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External IP to Internal IP access?

Hi,
I have someone flooding my PBX system. Not sure what they are doing, guessing trying to make free phone calls.
The system is blocking them, but i'm getting strange log reports

Default DROP UDP 108.62.x.x :5103 → 192.168.x.x:5060 len=365 ttl=44 tos=0x00

My question is how are they trying to access the INTERNAL IP of my PBX ? [:S]\

For testing, I have turned off ALL NAT rules and turned off the VOIP helper and the attacker continues to try and access my internal IP.

I have tried setting up a special NAT rule to blackhole them ( 108.62.x.x -> any -> external IP group --NAT --> Blackhole (10.245.x.x) Then set as my first rule NAT rules, and that does not capture the packets.

Any Ideas how they are doing this?

This thread was automatically locked due to age.

0 apijnappels over 11 years ago

It could be your internal host 192.168.x.x is some kind of a phone (or a voip server) that communicates with the external address 108.62.x.x and what you see there is the traffic that the remote host tries to send back.
Cancel
Vote Up 0 Vote Down

Cancel
0 NewImage over 11 years ago

Hmm could be, but all the external traffic for the PBX is NAT to a whitelisted group of Trunks.

I rebooted the firewall and now am seeing different effects, it no longer registers on the firewall log. It only shows up on the IPS as a flood. If I switch off the flood protection I don't see it on any log, but im still getting hit with a MB/s of traffic from the host.
Cancel
Vote Up 0 Vote Down

Cancel