How can I prevent my phone from receiving ghost calls?

Symptom

Your phone receives calls that exhibit at least two of the following symptoms:

  • Display random caller ID numbers (especially 100 or 1000), weird names, or nothing.
  • Dead air (and possibly continuing to ring) when answered.
  • Device doesn’t stop ringing, and fails to go to voicemail.

 

Cause

Ghost calls, or SIPVicious attacks, are port scans done on SIP ports for SIP-enabled devices like VoIP phones. An outside source is scanning SIP ports looking for active devices that can then be used to perform scam calls (such as fraudulent IRS calls). When the port is scanned and a device is detected, a group of packets is sent to the device to verify it is active and responding. During this process you will see the phone ring as if someone were calling.

 

Resolution

  1. Increase security of NAT Type.
  2. If a device has been configured to prevent SIPVicious attacks already, and the issue is persisting, the NAT is beginning to fail on the router. The device will need to be replaced.
  3. In addition to increasing NAT security, you can also configure a port forward rule for SIP ports 5060 and 5061 for the TCP/UDP Protocol, forcing these packet groups to an unused IP address, which will essentially drop the ghost call.If a router receiving ghost calls is missing the Port Forward option, it will need to be replaced (Belkin routers typically do not have port forwarding available). Modem-router combo units (e.g., AT&T units) do not allow port forwarding to deflect this traffic. These devices should be placed into bridge mode or IP Passthrough and a stand-alone router implemented.