Tell HN: Spectrum is blocking TCP/UDP 5060 at my home
For several years, I've run 3 VOIP phones from my house. About a week ago they stopped working. SIP REGISTER started failing.
Turns out Spectrum now blocks TCP/UDP port 5060. My workaround is to use a VPN. After that, everything is fine.
This reddit thread https://www.reddit.com/r/networking/comments/t8nulq/spectrum_is_rate_limiting_voipsip_traffic_port/ suggests Spectrum was rate limiting 5060 on 300mbps plans, but not on the 100mbps plans.
I have the 100mbps plan, and it is definitely affected now.
So if you are in SoCal, using Spectrum, and your VOIP phones suddenly stopped working in the last week or so, maybe this will help you.
94 comments
[ 2.8 ms ] story [ 156 ms ] threadI think you are right. But I am waaaay to cheap for that. I'm using Twilio on some Raspberry Pi's with some software I wrote myself. For 3 phone numbers, I'm spending like $10 a month total.
Cheers on the co-op ISP - that's outstanding and I wish more places did that. In so many ways that's living the dream!
I think in absolute numbers there are a lot of people who would value that, but only one or two people in any given area, so no way to service them. (Not considering sattelite for both bandwidth and latency reasons.)
A long time ago I was in some newsgroup or irc channnel and someone from Russia I think it was, was just casually describing their internet connection like it was normal but it was blowing my mind, which was basically some kind of totally home grown adhoc very local lash-up where they had 100M cat5 ethernet right to their appartment and strung between a few neighboring buildings. It wasn't clear who operated or provided the uplink but the switches and last bits of cat5 were just done by the local residents. No real "isp" like a US individual subscribing directly and individually from Comcast etc. Presumably there was some sort of co-op arrangement to share the cost of the actual shared connection.
I don't know at the time the idea of just running your own cat5 among a neighborhoods worth of buildings and getting way way WAY better service than what I could get paying even hundreds of $ as an individual residential consumer just blew my mind. Surely in the US some code inspector or other government official would come along and declare the cables illegal on some pretext or another, and surely the isp would call it some sort of theft or abuse.
Usually it's not worth it because you end up doing end-user support for every neighbor and people are dumb as rocks. But you'd be surprised how cheap a "very fast" transit internet connection can be.
https://www.opensecrets.org/industries/lobbying.php?cycle=Al...
Nice.
Rate limiting 5060 wouldn’t have any impact on call quality.
Where I am, we used to have a different, "nerdy" ISP [0], where customer was allowed to bring their own modem; they also provided real IPv4/v6 dual-stack since forever, easy to request a /29, tech-support that's realistic to reach, and staffed with people who know what they are talking about, no bulk-firewalling port-25, etc... All for a modest 2x price increase over market average. Alas, they're out of business now.
[0] https://en.wikipedia.org/wiki/Xs4all
My guess is that the 2x price increase Xs4all was charging for their plan was a bridge too far for most customers. It's important to keep in mind that the vast majority of people rent their modem, don't know or care what a /29 is, and is calling tech support because the plug is loose or the modem needs a power cycle. Bulk-blocking SMTP happened because open ports are botnet ports, and the average customer does not know how to identify and shut down zombies on their network.
[0] Assuming your provider isn't stupidly committed to "you can't have business class because you're in a residential area, WFH doesn't exist, and the zoning code is gospel, all hail Robert Moses"
When it comes to internet service, "giving a crap about the customer" is a premium add-on from Comcast, but once you commit to opening your wallet for that, they do deliver.
Comcast doesn’t give a crap about customers, full stop. Oh yes, they’ll send “technicians” out 3 to 4 times a month to tell you everything tested perfectly. But get them to put a line monitor on your connection, provide them logs that you have over 5% packet loss that doesn’t start until after the CMTS, and they’ll get an “engineer” involved who will come out and leave some testing equipment which will confirm the issue. Over a year later, the issue will remain unresolved.
My aunt bought a house where, at the best of times, her kids can finish a game with only a handful of disconnects. The other 20% of the time they can’t even watch Netflix or streaming sports.
They tried the “business connection” trick already, at a cost of $300 a month for 150mbps. That didn’t improve anything.
The “investigation” remains open, and the “engineer” just doesn’t bother updating them anymore.
My cousin went door-to-door only to discover the whole neighborhood is having the same types of issues. It’s just the new normal.
Yes, punish the undesirable behavior with more money. That will teach them a valuable lesson.
And then get a 2 year term on whatever seems a "good deal" at the time (I had cable speeds and 5 IPs) and once that is up call them and "drop down" to whatever you actually need (cable speeds and 1 IP) - you'll find that at that point there will be various "packages" that were never advertised but the system is quite capable of supporting.
If all else fails, find a company that works with the provider and offers service over their "last mile".
You'll pay for all the above, but not as much as you might think, and business support is actually good in many, many cases. Fabled evil Comcast rolled a truck twice until they tracked down a problem, at no charge.
Trying to upcharge customers for what they were initially supposed to deliver should be considered fraud.
I remember Xs4all, sorry to hear they went under.
I also miss the brief moment when we had line sharing on copper telco networks in the United States. Most people were perfectly happy with the standard offerings from their local telco, but those of us who wanted more could connect with an ISP who offered service via a dry pair DSL connection. I loved my time on Speakeasy, for example.
I remember all of the flaws with the line sharing system, too, but it actually worked for the short time we had it, in spite of the problems. Asking a niche ISP to build its own facilities-based network is an exercise in futility for many deployments. Of course, cities or counties or public utility districts could do it but the incumbent providers don't like that.
They were so cool compared to the options from AT&T and Roadrunner. It was like an ISP run by enthusiasts, for enthusiasts. They ended up getting bought by Mindspring IIRC.
This was also the rise of the OpenWRT software on the WRT54G (and GS!) because no consumer-level hardware coult do it. So many Linksys devices bricked from failing tftp sessions, but it worked so well if you could incant it onto the device.
[0]: https://www.freedom.nl/
Port 5060 is used for call control and is very low traffic. At most you may have timed OPTIONS messages but a “standard” SIP deployment is at most a handful of (small) packets per second per call setup and tear down with occasional REGISTER messages on an interval measured in seconds. Very low traffic and very low bandwidth. Obviously with more devices you get multiples of these numbers but still very low. 15 kbps is a pretty significant amount of SIP traffic.
This is most likely targeting VoIP abuse from tools like sipvicious. In a nutshell they scan the internet looking for open SIP ports. They then try to brute force credentials to place calls.
Why? Toll fraud. The scam works like this:
1) Setup an international toll charge number in some country. Let’s say it charges $5/min. For those that don’t know calls to these numbers get charged to the person placing the call from their phone company and end up on their phone bill with the amount getting paid out (less a cut) to the operator of the number.
2) Compromise a bunch of random exposed SIP implementations on the internet.
3) Place calls to your (or a partners) toll number.
4) Get paid from the toll charges.
5) Some time later the owner of the compromised system gets a huge bill depending on fraud detection systems at the carrier, how fast you could pump calls, etc.
It’s gotten so bad many VoIP providers block international calls by default and now (apparently) might be blocking 5060 traffic in some way.
This isn’t that different to what’s happened with SMTP over the years. To combat spam many last mile ISPs started blocking outbound TCP port 25 so compromised machines couldn’t directly send spam. This is where port 465/587 for SMTP “submission” came from.
Don't get me started on the bajillion 3G+ modems here with default passwords.
Not having their network used by bots to inflict untold financial damage is being responsible.
Would you argue that implementation of BCP38 to cut down on bots used in DDoS attacks is “not the ISP’s responsibility”?
Plus, they get the abuse reports from the victims and I’m certain this traffic is a ToS violation for their customers and certainly against the CFAA and numerous other laws for the resulting theft and fraud it causes.
Yes, do some flood detection, but the problem is that the SIP provider should be, as another commenter put, block international calls or otherwise detect/reject calls to toll systems. Who the heck uses toll numbers anymore anyway?
The alternative (today) is the literally millions of compromised PCs, IoT devices, etc that inflict incredible amounts of damage and make even more decentralizing services like CloudFlare essentially a necessity to make sure whatever you're hosting can deal with the possibility of terabits of traffic from a botnet showing up at any second (or SPAM, or VoIP fraud, etc, etc). As it stands now we have both and there is still an incredible amount of trash traffic - see other comments in this thread about people trying to host their own Asterisk instance and having it use 100% CPU just processing all of the malicious trash traffic showing up.
I mentioned blocking international calls by default in another comment. So now you need to contact your provider just to call someone in another country? Unfortunately, yes, that has been the case for many VoIP enabled systems for almost a decade now.
In NANPA (North American Numbering Plan) the international call prefix is 011. This is trivial to put behind a flag. However, after that detecting toll numbers is much more difficult because you're dealing with the entire world at that point and the numbering schemes, etc for toll numbers are all over the place. Additionally, in many countries there isn't any rhyme or reason to their toll numbering and unscrupulous network operators and jurisdictions that don't have a functioning legal system capitalize on all of this. It's been a while but I even remember some destinations in the caribbean taking advantage of having a +1 country code so not even the "international" call prefix block works in that case.
In my past life I was the CTO for a VoIP service provider with hundreds of thousands of business VoIP systems. This issue is very vast and complex while looking from the outside like yet another HN "Why don't you just do X" or "I could solve that in a weekend".
I clearly don't work in VoIP, I only had a one year stint with call center stuff. But I am honestly asking, who uses toll numbers anymore? Why wouldn't phone companies and VoIP providers literally decide not to honor a tool that seems, to me, entirely built for scams? Are there places without Internet but with phones, in such a scenario where a toll number scheme makes sense?
Put in general terms, I am saying "don't block the network protocol, end the toll-payout protocol". It would be like us living in a system where scammers could charge you $5 each time you got caught staring at a postcard in your mailbox, and we decided to block postcards rather than stop paying the extortion.
On the broader topic of "decentralized servers being abused on the Internet" yeah I get the problem of open DNS and SMTP relays. I do assert that those services being locked down are why we only have 0.0001% engagement.
I'm also not being entirely clear when I say "toll numbers". What I really mean is "high cost" numbers. You're a firewall admin, you know there's no limit to the creativity and ingenuity of scammers/fraudsters/etc with a clear monetization path. There's also traffic pumping[0], jurisdictions where the rate decks overly subsidize the cost to a "mobile" vs "landline", high-rate destinations (like Iridium), and again, various destinations with weird rate structures where (somewhat like traffic pumping) there doesn't seem to be any real justification that the billed rate aligns with the actual cost of delivering service but due to corrupt or non-functioning governments/regulators/telcos/etc they persist and are ripe for fraud.
[0] - https://www.fcc.gov/general/traffic-pumping
I'm the OP and I agree. Across 3 Twilio phone numbers and I maybe make 4 voice calls and 10 texts a week. I've been doing this for 4 years or more.
>> For example, I use SIP over 5060 on Spectrum without issue.
As did I, until a week or so ago. Until I was cut off, without notice. I've been a Spectrum residential customer since the 1990s.
and if their IP blocks are getting added to "likely scammer" lists because of SIP scams originating on their network, then it's in their best interest to do something do discourage those scams. the people working to defeat scammers aren't necessarily making distinctions between port numbers.
Of course, not all ISPs do this, which is why DDoS attacks are still a thing, but the point remains, that responsible ISPs will take steps to prevent malicious traffic on the Internet from exiting their systems.
I tried running a PBX on UDP 5060 and got >4GiB of logged register attempts in a few hours after opening the port, while asterisk was running at 100% CPU just rejecting the registration attempts the whole time.
It's insane compared to any other public service I run.
[0] - https://github.com/fail2ban/fail2ban/
I don't really like the fail2ban approach.
Every few months iptel.org goes down for a few hours and I get 408 request timeouts. When Spectrum blocked 5060 UDP, I got 408 request timeouts for a week. It finally dawned on me to try my iptel account on my VPS and my SIP register succeeded. That's when I knew Spectrum had shut 5060 UDP. I tried 5060 TCP and that didn't work either.
Some ISPs will remove the block if you ask.
Full technical story at https://blog.habets.se/2022/05/Another-way-MPLS-breaks-trace...
Hops marked with "* * *" do not count as "missing" here.
I hope they'll fix it soon, but not if it delays IPv6.
If I had a choice of FTTP providers then IPv6 support would weigh really high on my choice, but only one has dug up the street.
So hopefully you have some other options soon. :)
With that new info, I decided to stick to my 1k plan until more hardware catches up.
https://trends.shodan.io/search?query=port%3A5060+org%3Achar...
https://blog.prolixium.com/2021/01/23/does-centurylink-dsl-b...
It worked just fine through Comcast's Xfinity service (although at the time, that service had other critical issues for me..) and I have no problem now with Verizon Fios.
A critical service is nonfunctional. You should not have to VPN for your internet service to work. I can’t believe I even have to say that.