default sip with 12.4(13r)T

Unanswered Question
Apr 23rd, 2008
User Badges:

Hello all,

i use router 2811 with cm express for isdn dialing to pstn. my isp inform me that i have high voice traffic to some countries in asia and africa. i debuged it - all calls were over sip, which was enable on public interface in the default sip cfg (i didnt see anything about enable sip in the startup-config). now i disable tcp/udp sip transport, everything is ok but can you explain me what is possible or where is problem ?

thank you.


my hw:

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T7, RELEASE SOFTWARE (fc3) - c2800nm-advipservicesk9-mz.124-9.T7.bin"

sh sip-ua calls


Number of SIP User Agent Client(UAC) calls: 0


Call 1

SIP Call ID : [email protected]

State of the call : STATE_RECD_INVITE (11)

Substate of the call : SUBSTATE_NONE (0)

Calling Number : 1111

Called Number : 9009595036838

Bit Flags : 0x40401E 0x100 0x404

CC Call ID : 39669

Source IP Address (Sig ): my ip

Destn SIP Req Addr:Port : unknown ip:5060

Destn SIP Resp Addr:Port: unknown ip:5060

Destination Name : unknown ip

Number of Media Streams : 1

Number of Active Streams: 1

RTP Fork Object : 0x0

Media Mode : flow-through

Media Stream 1

State of the stream : STREAM_ACTIVE

Stream Call ID : 39669

Stream Type : voice+dtmf (1)

Negotiated Codec : g723r63 (24 bytes)

Codec Payload Type : 4

Negotiated Dtmf-relay : rtp-nte

Dtmf-relay Payload Type : 101

Media Source IP Addr:Port: my ip:17172

Media Dest IP Addr:Port : unknown ip:19056

Orig Media Dest IP Addr:Port :

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Stoyan Stoitsev Wed, 04/23/2008 - 04:06
User Badges:
  • Bronze, 100 points or more


Check this info[email protected]

Basicly SIP, H.323 and MGCP ports stay open no matter if you have configured/enabled any of these services and any one can connect to the router on port 5060 (for example) and if he guesses the righ pattern to go out through your pots dial-peers you'll get a quite nice bill from your telco ;)

So deny any ports that these protocols use if you have ISDN and internet on the same router. Permit them only from trusted hosts if that is possible and always put the sip no transport tcp/udp if you dont use SIP.

Use show tcp all brief and show ip sockets (if available in your IOS) to see on what ports your router is listening.

One of our clients said goodbuy to a couple of thousand dollars the day before this advisory was posted.



lukasdrbo Wed, 04/23/2008 - 05:32
User Badges:

Hi Stoyan,

thank you for info. i read your advisory link but if i understand (there are many info about device crash) main reason of my problem could be this " can potentially lead to remote code execution" ? if yes, do you have any sample code please ?


Stoyan Stoitsev Wed, 04/23/2008 - 06:51
User Badges:
  • Bronze, 100 points or more

As I told you, your router listens on these ports and it is possible that some one can remotely "execute code" on them, i.e. send call-setup signalization and eventually make a call. This does not meen that the have accessed the router.


This Discussion