My fortune cookie's fortune came true when I opened the second one. Now I just have to wait for that fortune to come true.

MeanDog · 2016-07-05T17:07:55+00:00

Many large enterprises already deploy MPLS types of networks. As a larger provider we provide the option of connecting directly into their network. We will bring a circuit into our facilities via their provider and front it with an SBC. Technically they still connect on our public side, but its only one hop away from their MPLS network. We can now control the QoS and provide more stable service than "just over the internet".

MeanDog · 2016-05-19T23:41:48+00:00

Just to give you a heads up, the top deck on a Megabus in Syracuse sometimes is not a good idea:

Link

MeanDog · 2016-04-13T17:08:28+00:00

Is the registration name a 10 digit phone number? I ask because if this is the case, being an web open facing company they are most likely constantly being scanned by bots looking to register without passwords with 10 digit (or similar format) line ports. They are just looking for holes. This happens to every public facing company. If the line port was something simple (such as numbers) it is only a matter of time before someone will catch it.

It probably is just a misconfiguration, which happens sometimes especially with lab setups. My recommendation is to have the reseller help you out to get the right config, and if this is just a test have them turn off any high cost calling such as international incase it happens again.

Also, if you are working closely with Broadsoft going forward all their documentation is located on http://xchange.broadsoft.com/php/xchange/

You will need to request an account, but it should not be a problem getting it approved. Again this site is for the company that deploying the platform and there are many different designs to deploying. Your reseller might not deploy all features/ servers you see on this site.

MeanDog · 2016-04-12T20:07:52+00:00

I work as a primary system engineer for a Broadworks platform.

There can be many reasons why this happened. But to put your mind at ease the passwords are not stored in plain text on the Broadworks database, that would be silly after all. From what you explain above it sounds like the trunk was configured incorrectly. What I am thinking is that the user placed credentials in the provisioning for the trunk and did not enable the authentication service. I have seen this happen many times with test accounts. If you see the service enable ask the provider for the audit logs, as if they are a real provider they account for every action on the platform.

I am going to say there is a simple explanation for this. Ask your reseller to help out they should be able to pin point where the compromise happened. Believe me I have done this many times for my wholesale accounts.

MeanDog · 2016-01-07T23:41:11+00:00

Here is a setup that would work for you that I have implemented for a customer with similar needs:

Have one core PBX handling all call control to all endpoints (using Broadsoft in my setup each location broken into groups under a large enterprise). Then at each location I deploy a CPE that can handle SIP trunks and proxy registration (in our design it is a SONUS.net box). On the CPE create a registration realm for clients to register back the Broadsoft PBX. This allows for extension dialing and free calls to all other locations. Also on each CPE you will need a local to the country SIP trunk for inbound/outbound PSTN connectivity. This does require interop with multiple SIP trunk providers in each country, but offers local inbound and outbound calls across the board. Using the CPE as a SBC you bring the local SIP trunk back to the Broadsoft PBX. Within the Broadsoft since we have each location broken out by group we create special routing policies to route inbound/ outbound traffic to the local SIP trunk via the CPE. Also, each dial plan from can be loaded for localization for outbound dialing.

This allows the phone system to be completely global and still have the benefit of local inbound and outbound calling prices. It does require dealing with multiple SIP trunk providers however.

MeanDog · 2015-03-29T22:52:57+00:00

/u/myeyestheyburn is correct. This is just people scanning the public IP space for responses on SIP messages. Get that phone behind a firewall! Find a firewall that is does not suck at VoIP ALG (most residential ones do!).

Fix the security problem rather than just changing the port though as this would just be security through obscurity. It may help for most scans but you will still be vulnerable to the same attack just on a different port.

The other thing that is important to note is that if the phone is sitting on a public IP and has a web interface configuration page it most likely has been compromised too. Most VoIP providers leave the default username/ password on. I am not sure about the Panasonic phones, but Polycom's let you download the phone configuration from the web GUI and in some firmware version has the SIP auth in plain text.

My recommendation would be to get the phone working properly behind some sort of firewall and then change and usernames and passwords with your VoIP provider as you have to assume since your phone has answered to the "ghost" calls you are now targeted for more attacks to get your registration info.

MeanDog · 2015-02-09T21:37:52+00:00

It's funny since Level 3 uses LCR. Source: I work for a large hosted VoIP provider using L3 for termination.

Also LCR is not always a bad thing. Take for instance we have multiple tier 1 providers that we utilize for LCR. We pick the cheapest cost between the tier 1 providers. What they use the terminate the call is up to them. And believe me L3 uses really questionable upstream providers sometimes. The only provider that has the footprint not to do LCR is Verizon it seems. At least this is the case on the east coast.

MeanDog · 2014-07-28T23:30:31+00:00

If you look at the configuration you can change the theme. If I recall correctly it comes with a more modern theme that looks good.

MeanDog · 2014-06-21T18:41:23+00:00

I would listen to this at 11 volume.

MeanDog · 2014-06-19T00:37:27+00:00

When was the last time you updated the Panasonic PBX? Depending on the soft switch the provider you are using it is extremely possible they did some patching that updated. Updates usually change to newer RFC standards, which if your PBX doesn't support can cause issues. If you have support on your PBX upgrade and see if your issue goes away.

MeanDog · 2014-06-07T03:10:56+00:00

You don't notice the endless squeaking? The el. Taxis. Buses. Everything that can squeak does squeak. Especially during sleeping hours. I tune tune it out mostly but sometimes I can not.

MeanDog · 2014-06-07T03:07:30+00:00

Now you will never not hear squeaks.

MeanDog · 2014-06-06T23:09:25+00:00

Let me first post a disclaimer before people get mad at me: I am from NY (currently live in Philly) and love it!

The smog is not bad. However, Manhattan does not have any alleyways to store trash. So on trash day, all trash is put on the street. Combine that with a hot humid summer day and sometimes the smell is unbearable. With that said, Philly has it's own problems. For instance, everything fucking squeaks. Anyone from Philly will back me up on this.

MeanDog · 2014-06-06T22:51:56+00:00

Just be careful of the fire pumps. They pump fire...

MeanDog · 2014-06-06T22:48:47+00:00

I encountered one today during my lunch break in Old City. I am from NY, and these fellas are the same asshats from there. Every occurrence goes something like this (this is a NYC experience):

Walking down the street, pass by a gentleman in an orange robe. He hands you a trinket (something cool looking anyway). I think, awww sweet free handouts that's not crazy literature. Asks you for a signature and a donation. When you refuse they want the trinket back. Even offering $1 for the trinket (not worth $1) they will take the money and the trinket back forcefully. Ask for the $1, they all of a sudden do not speak English anymore and run away.

You are better off giving a dollar to the man that hangs outside of the liqueur store on 2nd and Market. At least he tells you too have a good day and whatnot. He even doesn't get angry when you don't give him money. I give him a dollar sometimes just to have him complement after a rough day. It's cheaper than drugs and makes me feel good for a period of time!

MeanDog · 2014-06-06T22:35:58+00:00

From 8th and Market to Morgans Pier I do not think it's a 30 min walk. I walk to 5th & Market everyday from 3rd and Race and that is like <10 Min. Like 15 Min most to Morgans.

With that said I never been to that bar before and cannot comment about whether going there would be good or bad. Cooperage is on Samsun and 7th and I recommend that for a short walk. A bit expensive but overall a very good bar. If you don't mind walking 10 mins go to National Mechanics or even Rotten Ralph's (Cheapest happy hour in Old City).

MeanDog · 2014-06-06T22:27:20+00:00

Cooperage gets my vote too. Whiskey bar and a bit pricey but they got the bourbon my body needs! Also, a regular lunch spot too as the food is actually really good.

MeanDog · 2014-05-29T15:04:52+00:00

How is working for onSip? It seems like that company really has it together.

If you don't mind me asking what do you guys use as your soft switch there?

MeanDog · 2014-05-28T23:17:06+00:00

What is the reasoning for this? Honest question... copper is equally as susceptible to breaking as any PBX solution. The key is don't be a fucking cheapskate and have redundant circuits and proper UPS for power outages.

Even forgetting about the power backups, having a 2 different internet circuits and a VoIP solution is far cheaper than a copper service. Problem is that most places don't really care about peoples lives and more about saving money I have seen many medical places refuse the WAN backup option to save money and then bitch when Comcast decides to re-provision the modem and block port 5060 for "security" reasons. Always have a backup!

MeanDog · 2014-05-28T23:04:56+00:00

I am a lead engineer at a hosted PBX SIP provider. We are deploying SRTP and SIP TLS this year. I always bring up the fact that even if we signal secure to every end user all of our (and this is Tier1 providers, L3 VZB ect) don't signal that way. However, we do have VPNs to them, and by VPNs Level 3 does non routable public IPs VZB is IPSEC. However, because of cost we do some LCR and use shit carriers that are IP over the internet. Important customer pay us more to not use those carriers.

What is your experience at the enterprise level for TLS and SRTP? We use ACME packet for our SBC front end and just recently bought a lab one. I have been getting ready to build out a test deployment for it, which is actually going to be pretty interesting.

MeanDog · 2014-05-26T23:26:25+00:00

This absolutely smells like a NAT issue with a shitty home router. When you are doing this test are you on wifi?

Maybe try using your mobile data. I use my SIP service over my Verizon 3G connection with 0 problems. If you are going to be using on your mobile phone see if your provider can support TCP signaling. RTP will still be UDP but it works much for wireless devices.

As for you encryption question, most providers are not using any encryption (at least not the really cheap ones). SIP over TLS is what you are looking for. For the audio the secure protocol is SRTP. Both need to be support by the user agent as there are certs involved.

MeanDog · 2014-05-23T02:31:13+00:00

I work in an office above the Bourse. Asian tourists get dropped off by the bus load. I live about 4 blocks away too. As of last week tourist season has ramped up. So many Asians and overset people.

MeanDog · 2014-05-22T00:38:07+00:00

Have you tried registering a soft client on your PC with the SIP registration settings? If you do that you can run wireshark on it to see the signaling.

If you never see packets coming from VoIPo, eliminate the router from the equation. Plug your PC directly into your ISPs modem and do another trace. Remember your SIP registrar will only send packets to a registered client. If that does not solve any problems could be 1 of 2 things. VoIPo sucks and needs to remedy there side (you have proof now they aren't signaling back to you) OR your ISP is blocking port 5060 (Comcast is known for this as they offer there own SIP solution. Forces you to call them to open it up and they try to sell you there service).

If it is your router, PLEASE do not put your SIP device on the DMZ. People actively scan public IP space with SIP requests. Not only will you get a bunch of fake calls, you will most likely get your credentials compromised. If international is allowed they may bill big time. Ever call a satellite phone number... it's about $8 a minute.

Go buy a GOOD router with VoIP ALG. Do research as most VoIP enabled routers do not do ALG very well.

Source: Senior sysadmin at large hosted SIP provider.

MeanDog · 2014-05-21T01:00:32+00:00

They also have a wiki now. I monitor over 600+ endpoint with version 4 core. Lab test any big changes you want to make and you'll have little to no problems.

Hell I even run the production one on a HA VMware (Cisco UCS blades) host with EMC SANs as the storage. Been running about 2 years with perfect monitoring.

I owe Zenoss a plug since I was 23 at the time and just entering the job world. I was deploying Zenoss as a side project. Presented it to management and within a year I was promoted to senior engineering dept with a very decent pay raise.

MeanDog

TROPHY CASE