Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Spectrum is blocking TCP/UDP 5060 at my home
146 points by another_comment on Oct 30, 2022 | hide | past | favorite | 89 comments
For several years, I've run 3 VOIP phones from my house. About a week ago they stopped working. SIP REGISTER started failing.

Turns out Spectrum now blocks TCP/UDP port 5060. My workaround is to use a VPN. After that, everything is fine.

This reddit thread https://www.reddit.com/r/networking/comments/t8nulq/spectrum_is_rate_limiting_voipsip_traffic_port/ suggests Spectrum was rate limiting 5060 on 300mbps plans, but not on the 100mbps plans.

I have the 100mbps plan, and it is definitely affected now.

So if you are in SoCal, using Spectrum, and your VOIP phones suddenly stopped working in the last week or so, maybe this will help you.




They are probably trying to reduce SIP abuse. It's a big problem.


Glad this is at the top. The linked Reddit thread demonstrates a common but fundamental misunderstanding of SIP.

Port 5060 is used for call control and is very low traffic. At most you may have timed OPTIONS messages but a “standard” SIP deployment is at most a handful of (small) packets per second per call setup and tear down with occasional REGISTER messages on an interval measured in seconds. Very low traffic and very low bandwidth. Obviously with more devices you get multiples of these numbers but still very low. 15 kbps is a pretty significant amount of SIP traffic.

This is most likely targeting VoIP abuse from tools like sipvicious. In a nutshell they scan the internet looking for open SIP ports. They then try to brute force credentials to place calls.

Why? Toll fraud. The scam works like this:

1) Setup an international toll charge number in some country. Let’s say it charges $5/min. For those that don’t know calls to these numbers get charged to the person placing the call from their phone company and end up on their phone bill with the amount getting paid out (less a cut) to the operator of the number.

2) Compromise a bunch of random exposed SIP implementations on the internet.

3) Place calls to your (or a partners) toll number.

4) Get paid from the toll charges.

5) Some time later the owner of the compromised system gets a huge bill depending on fraud detection systems at the carrier, how fast you could pump calls, etc.

It’s gotten so bad many VoIP providers block international calls by default and now (apparently) might be blocking 5060 traffic in some way.

This isn’t that different to what’s happened with SMTP over the years. To combat spam many last mile ISPs started blocking outbound TCP port 25 so compromised machines couldn’t directly send spam. This is where port 465/587 for SMTP “submission” came from.


Perfect example of one of the many SIP abuses I have personally seen here in Australia.

Don't get me started on the bajillion 3G+ modems here with default passwords.


The real abuse of course is $5 a minute toll line. The ability to rack up that kind of charge should be opt-in, there’s basically no legitimate use case.


Not the ISP's responsibility.


Yes it is. A responsible consumer ISP that's a good citizen on the Internet takes responsibility for everything that comes out of their system which includes, in practice, blocking ports for customers unless the customer calls tech support to get it unblocked. It also includes blocking outgoing DDoS traffic and kicking customers offline until they resolve the issue. And blocking spam sending bots. Unless you think keeping infected Windows PCs and rooted webcams online is a good thing.

Of course, not all ISPs do this, which is why DDoS attacks are still a thing, but the point remains, that responsible ISPs will take steps to prevent malicious traffic on the Internet from exiting their systems.


I’d argue that a reasonable network limitation with a minimal blast ratio is responsible. For example, I use SIP over 5060 on Spectrum without issue.

Not having their network used by bots to inflict untold financial damage is being responsible.

Would you argue that implementation of BCP38 to cut down on bots used in DDoS attacks is “not the ISP’s responsibility”?

Plus, they get the abuse reports from the victims and I’m certain this traffic is a ToS violation for their customers and certainly against the CFAA and numerous other laws for the resulting theft and fraud it causes.


Block by default is fine but customers should be empowered to disable them if they need the IP service they're paying for.


>>I’d argue that a reasonable network limitation with a minimal blast ratio is responsible.

I'm the OP and I agree. Across 3 Twilio phone numbers and I maybe make 4 voice calls and 10 texts a week. I've been doing this for 4 years or more.

>> For example, I use SIP over 5060 on Spectrum without issue.

As did I, until a week or so ago. Until I was cut off, without notice. I've been a Spectrum residential customer since the 1990s.


Nah, just like port 25 outbound being blocked is shitty. How can we have a decentralized net when consumer ISPs make people call in or beg to have full network access?

Yes, do some flood detection, but the problem is that the SIP provider should be, as another commenter put, block international calls or otherwise detect/reject calls to toll systems. Who the heck uses toll numbers anymore anyway?


"People" here being the 0.001% of the population that's interested in and capable of responsibly hosting anything. As others have noted I'm perfectly fine with someone having to make a phone call, go to a web UI, whatever to click a box with a scary warning (and potentially agree to additional terms) when they want to open their connection up. Spectrum has 32 million customers and blocking SMTP, netbios, RDP, rate limiting SIP, etc are reasonable defaults.

The alternative (today) is the literally millions of compromised PCs, IoT devices, etc that inflict incredible amounts of damage and make even more decentralizing services like CloudFlare essentially a necessity to make sure whatever you're hosting can deal with the possibility of terabits of traffic from a botnet showing up at any second (or SPAM, or VoIP fraud, etc, etc). As it stands now we have both and there is still an incredible amount of trash traffic - see other comments in this thread about people trying to host their own Asterisk instance and having it use 100% CPU just processing all of the malicious trash traffic showing up.

I mentioned blocking international calls by default in another comment. So now you need to contact your provider just to call someone in another country? Unfortunately, yes, that has been the case for many VoIP enabled systems for almost a decade now.

In NANPA (North American Numbering Plan) the international call prefix is 011. This is trivial to put behind a flag. However, after that detecting toll numbers is much more difficult because you're dealing with the entire world at that point and the numbering schemes, etc for toll numbers are all over the place. Additionally, in many countries there isn't any rhyme or reason to their toll numbering and unscrupulous network operators and jurisdictions that don't have a functioning legal system capitalize on all of this. It's been a while but I even remember some destinations in the caribbean taking advantage of having a +1 country code so not even the "international" call prefix block works in that case.

In my past life I was the CTO for a VoIP service provider with hundreds of thousands of business VoIP systems. This issue is very vast and complex while looking from the outside like yet another HN "Why don't you just do X" or "I could solve that in a weekend".


I've been a firewall admin for a decade, I'm not entirely naive, and I am now sober.

I clearly don't work in VoIP, I only had a one year stint with call center stuff. But I am honestly asking, who uses toll numbers anymore? Why wouldn't phone companies and VoIP providers literally decide not to honor a tool that seems, to me, entirely built for scams? Are there places without Internet but with phones, in such a scenario where a toll number scheme makes sense?

Put in general terms, I am saying "don't block the network protocol, end the toll-payout protocol". It would be like us living in a system where scammers could charge you $5 each time you got caught staring at a postcard in your mailbox, and we decided to block postcards rather than stop paying the extortion.

On the broader topic of "decentralized servers being abused on the Internet" yeah I get the problem of open DNS and SMTP relays. I do assert that those services being locked down are why we only have 0.0001% engagement.


You make a good point regarding toll numbers and the real answer is "I don't know" but they persist for whatever reasons...

I'm also not being entirely clear when I say "toll numbers". What I really mean is "high cost" numbers. You're a firewall admin, you know there's no limit to the creativity and ingenuity of scammers/fraudsters/etc with a clear monetization path. There's also traffic pumping[0], jurisdictions where the rate decks overly subsidize the cost to a "mobile" vs "landline", high-rate destinations (like Iridium), and again, various destinations with weird rate structures where (somewhat like traffic pumping) there doesn't seem to be any real justification that the billed rate aligns with the actual cost of delivering service but due to corrupt or non-functioning governments/regulators/telcos/etc they persist and are ripe for fraud.

[0] - https://www.fcc.gov/general/traffic-pumping


You buy access on a network that doesn't block those things, if you want a network that doesn't block those things.


no, the ISP's responsibility is to ensure that the majority of their customers can access websites over http/s.

and if their IP blocks are getting added to "likely scammer" lists because of SIP scams originating on their network, then it's in their best interest to do something do discourage those scams. the people working to defeat scammers aren't necessarily making distinctions between port numbers.


The Internet (The I in ISP...) is far more than than the web. Mere HTTP/s access is suffocating, and we should not normalize this as a customer expectation.


However the ISP will get blamed by some victims.


Neither is dealing with spam yet they almost universally block port 25`


Ah, yes. The classic "all our customers are morons" approach, with no opt-out for those 0.1% who, in fact, are not. Very typical among ISPs/Telcos.

Where I am, we used to have a different, "nerdy" ISP [0], where customer was allowed to bring their own modem; they also provided real IPv4/v6 dual-stack since forever, easy to request a /29, tech-support that's realistic to reach, and staffed with people who know what they are talking about, no bulk-firewalling port-25, etc... All for a modest 2x price increase over market average. Alas, they're out of business now.

[0] https://en.wikipedia.org/wiki/Xs4all


The opt-out is buy business-class service[0].

My guess is that the 2x price increase Xs4all was charging for their plan was a bridge too far for most customers. It's important to keep in mind that the vast majority of people rent their modem, don't know or care what a /29 is, and is calling tech support because the plug is loose or the modem needs a power cycle. Bulk-blocking SMTP happened because open ports are botnet ports, and the average customer does not know how to identify and shut down zombies on their network.

[0] Assuming your provider isn't stupidly committed to "you can't have business class because you're in a residential area, WFH doesn't exist, and the zoning code is gospel, all hail Robert Moses"


Even if the provider is stupid AF you can usually get around the residential restriction by starting the discussion with the business side of the company; once the salesman has a nibble he's not gonna cut you free if he can help it.

And then get a 2 year term on whatever seems a "good deal" at the time (I had cable speeds and 5 IPs) and once that is up call them and "drop down" to whatever you actually need (cable speeds and 1 IP) - you'll find that at that point there will be various "packages" that were never advertised but the system is quite capable of supporting.

If all else fails, find a company that works with the provider and offers service over their "last mile".

You'll pay for all the above, but not as much as you might think, and business support is actually good in many, many cases. Fabled evil Comcast rolled a truck twice until they tracked down a problem, at no charge.


Still sounds like a huge hassle compared to municipal fiber.


I still get emails from Comcrap because once I had a business internet plan with them in a residential area -- an apartment no less.

When it comes to internet service, "giving a crap about the customer" is a premium add-on from Comcast, but once you commit to opening your wallet for that, they do deliver.


What Comcast did you do business with?

Comcast doesn’t give a crap about customers, full stop. Oh yes, they’ll send “technicians” out 3 to 4 times a month to tell you everything tested perfectly. But get them to put a line monitor on your connection, provide them logs that you have over 5% packet loss that doesn’t start until after the CMTS, and they’ll get an “engineer” involved who will come out and leave some testing equipment which will confirm the issue. Over a year later, the issue will remain unresolved.

My aunt bought a house where, at the best of times, her kids can finish a game with only a handful of disconnects. The other 20% of the time they can’t even watch Netflix or streaming sports.

They tried the “business connection” trick already, at a cost of $300 a month for 150mbps. That didn’t improve anything.

The “investigation” remains open, and the “engineer” just doesn’t bother updating them anymore.

My cousin went door-to-door only to discover the whole neighborhood is having the same types of issues. It’s just the new normal.


IMO, if the ISP doesn't want to sell Internet access, they shouldn't be allowed to call it anything that could be mistaken by a consumer for Internet access.

Trying to upcharge customers for what they were initially supposed to deliver should be considered fraud.


> The opt-out is buy business-class service.

Yes, punish the undesirable behavior with more money. That will teach them a valuable lesson.


Well, the charitable interpretation would be that you're paying for their extra support costs.


The charitable assumption on the service provider's behalf would be that their customers are not morons.


Most of the time you can get around this by providing your own 'dumb' modem with no VOIP features on it. Quite often the control feature is on the firmware the ISP uploads to the modem.


> Where I am, we used to have a different, "nerdy" ISP [Xs4all]

I remember Xs4all, sorry to hear they went under.

I also miss the brief moment when we had line sharing on copper telco networks in the United States. Most people were perfectly happy with the standard offerings from their local telco, but those of us who wanted more could connect with an ISP who offered service via a dry pair DSL connection. I loved my time on Speakeasy, for example.

I remember all of the flaws with the line sharing system, too, but it actually worked for the short time we had it, in spite of the problems. Asking a niche ISP to build its own facilities-based network is an exercise in futility for many deployments. Of course, cities or counties or public utility districts could do it but the incumbent providers don't like that.


We had a similar type of “tech” ISP in the USA with a lot of similar features called Speakeasy back in the early 2000s. You could get static ips easily, delegated control of your reverse dns upon request, they encouraged connection sharing by offering an additional email account and IP address for $6/mo and even had guides how to setup different SNAT and masquerading scenarios on Linux.

They were so cool compared to the options from AT&T and Roadrunner. It was like an ISP run by enthusiasts, for enthusiasts. They ended up getting bought by Mindspring IIRC.


Yep, I think we're talking about the same Speakeasy ("I loved my time on Speakeasy, for example."). I remember they used to assign IPs almost at random; you wouldn't get a larger subnet, you'd just get more IPs sent down your connection and it was up to you to have the routing equipment to handle them.

This was also the rise of the OpenWRT software on the WRT54G (and GS!) because no consumer-level hardware coult do it. So many Linksys devices bricked from failing tftp sessions, but it worked so well if you could incant it onto the device.


It's worth noting that there's a spiritual successor to XS4ALL called Freedom[0].

[0]: https://www.freedom.nl/


And... they're still just as expensive as XS4ALL was. It's nice the option exists for people willing to pay the premium, though.


They're significantly cheaper if you live in an area with a non-KPN fiber network. In KPN network areas they're paying more than consumer pricing to KPN for network access, unfortunately.


Yeah, running SIP on a standard port without some serious firewall based rate limiting for unknown traffic is almost impossible.

I tried running a PBX on UDP 5060 and got >4GiB of logged register attempts in a few hours after opening the port, while asterisk was running at 100% CPU just rejecting the registration attempts the whole time.

It's insane compared to any other public service I run.


Have you tried fail2ban[0]? It can take log output from Asterisk and automatically insert iptables DROP rules for the source IP to block the traffic in the kernel. It still shows up on your interface and uses your bandwidth but dropping the packet in the kernel is much more efficient than Asterisk dealing with it (not to mention safer). It should also cause the bad actor to eventually give up on you and move elsewhere.

[0] - https://github.com/fail2ban/fail2ban/


No, I rate limit everything by default (per IP address, via a few nftables rules), until the user logs in, at which point I add the IP address to a whitelist. I also run SIP on non-default port and use SRV records to point the client to the right port. Helps with blind IP scans.

I don't really like the fail2ban approach.


If you use fail2ban and asterisk you will probably have to rewrite the asterisk regex rules in fail2ban. Not a big thing, but it will probably not work out of the box.


I'm not running my own service. I'm using www.iptel.org, they offer a free sip account. Under the hood they use the Kamailio sip server. It is pretty darn reliable for a free service.

Every few months iptel.org goes down for a few hours and I get 408 request timeouts. When Spectrum blocked 5060 UDP, I got 408 request timeouts for a week. It finally dawned on me to try my iptel account on my VPS and my SIP register succeeded. That's when I knew Spectrum had shut 5060 UDP. I tried 5060 TCP and that didn't work either.


I wrote a script that monitors the asterisk log and uses iptables to block any IP with a failed request. Problem solved. Sometimes I check how many IPs are blocked, it's astonishing.


That doesn't make what they're doing okay. To see why, imagine that they instead blocked access to all email services except their own, since spam is a big problem.


That's basically what domestic ISPs do. You will probably find that outbound traffic on port 25 is blocked, because all of your pwn3d inadequately-patched Windows machines are spam cannons now.


Yep - some block it so hard you have to use other ports to communicate with offsite mail servers (and why various other ports are found, now).

Some ISPs will remove the block if you ask.


I’ve come to treat residential ISPs as basically a transit for HTTP. As someone else in the thread pointed out that’s all that 99.99% of customers care about, and unfortunately you’re talking about a lowest common denominator here.


And this is (one of the reasons) why you should design modern protocols to use https as transport layer.


It doesn't fit. The reddit thread describes inbound traffic being rate limited. But SIP abuse would be outbound traffic.


You mean mass spam calling? Or what kind of abuse?


At least where I am in SoCal, AT&T literally just deployed fiber with plans up to 5 gigabit/s. I'm so glad to be leaving Spectrum behind, because when moving here I never thought I'd have a cable Internet provider that made me miss Comcast...

So hopefully you have some other options soon. :)


Saw your comment, went to my ATT internet account, and just upgraded from 1k to 5k! I’m so happy, thanks!


So, interesting stuff! I had my installation appointment, the guy came out and proceeded to tell me that the 5k plan would be useless to me. I asked why - apparently switches have not progressed at the same speed. Latest MBPs for example only support up to ~1300Mbps via wifi (however could support up to 10Gb bandwidth via Ethernet.) Most of my devices I use via wifi anyways. I have 1 Pi plugged in. I guess most hardware only has a 1k switch in it these days?

With that new info, I decided to stick to my 1k plan until more hardware catches up.


Is that even legal? Blocking network traffic because it competes with their offering?


From the wikipedia net neutrality page it looks like the FCC's stance has historically depended on the administration in power. There was the much celebrated 2015 change to title II, which was undone in 2017 i.e. the start of the ajit pai era. Now he is finally gone, but not before casting his vote in a 3-2 decision in 2020 to keep net neutrality dismantled. The new chair is pro-nn and working to undo the damage but it takes time.


Lol... I laugh everytime I see Republicans undo things in a matter of weeks and then 3 years later Democrats are like.. we wish we could do something but it takes time.


Not surprising, the US telecommunications industry spends over $100 million per year on lobbying. They must be getting something in return.

https://www.opensecrets.org/industries/lobbying.php?cycle=Al...


It's very easy to break something, but fixing it always takes more time/effort/care. Especially if you want to try to improve it or prevent it from breaking in the same way again. You could give a drunk toddler a hammer and set him lose in a museum and he could be extremely destructive in a very short amount of time, but I don't think I'd be laughing about it or thinking the drunk toddler was especially clever for destroying so much, and I wouldn't fault the staff for taking a long time to restore and salvage what they can.


Republicans don't undo things in a matter of weeks. Obamacare is one example. Roe v. Wade is another.


It takes longer than weeks to plan, but when they enact their plans it doesn't take long. Democrats always play the game of... had we only known they could do that, now our hands our tied. Case in point is when they authorized the COVID-19 pandemic relief and then Trump fired the single person responsible for preventing fraud, and Democrats were like... hmm, we did nazi that coming.


You're cherry picking data to confirm a political bias. I'm not interested in trading counter examples, but if you could provide a scientific source that shows the pattern, that might be actually convincing.


Carriers do all kinds of filtering. They've blocked mail, file transfer, network discovery, and others for a long time. cgNAT blocks half of everything.


Yep - best practice is to always tunnel, or reverse proxy out on a random port if you're self-hosting anything. Have had many providers over the years and have anecdotally found that experience to be very true.


Yeah, in the past I tunneled everything through a VPS. These days I no longer bother, but I'm also getting service via a small ISP. It's a co-op and I got voted onto the board, so I have reasonable confidence against shenanigans.


Yep - VPS tunneling usually through nginx is how I get around it for my use cases.

Cheers on the co-op ISP - that's outstanding and I wish more places did that. In so many ways that's living the dream!


I've certainly dreamed of a co-op / credit union isp.

I think in absolute numbers there are a lot of people who would value that, but only one or two people in any given area, so no way to service them. (Not considering sattelite for both bandwidth and latency reasons.)

A long time ago I was in some newsgroup or irc channnel and someone from Russia I think it was, was just casually describing their internet connection like it was normal but it was blowing my mind, which was basically some kind of totally home grown adhoc very local lash-up where they had 100M cat5 ethernet right to their appartment and strung between a few neighboring buildings. It wasn't clear who operated or provided the uplink but the switches and last bits of cat5 were just done by the local residents. No real "isp" like a US individual subscribing directly and individually from Comcast etc. Presumably there was some sort of co-op arrangement to share the cost of the actual shared connection.

I don't know at the time the idea of just running your own cat5 among a neighborhoods worth of buildings and getting way way WAY better service than what I could get paying even hundreds of $ as an individual residential consumer just blew my mind. Surely in the US some code inspector or other government official would come along and declare the cables illegal on some pretext or another, and surely the isp would call it some sort of theft or abuse.


You can do something similar in the US - many condos have it setup where they technically are an ISP and pay for transit.

Usually it's not worth it because you end up doing end-user support for every neighbor and people are dumb as rocks. But you'd be surprised how cheap a "very fast" transit internet connection can be.


I agree with what you're saying about support. I get nauseous just thinking about the number of people who call their ISP just because their laptop has a flaky Wifi module, and the thought of having to deal with that.


fact


The terms of service may prohibit running a "service" or "server", for some definition, on a residential contract.


Maybe they're forwarding the port to an internal service running on the router, instead of blocking it. At the very least, it would be nice if they let you turn it off.


My ISP breaks traceroute outside of the network. Their transit is cut out of my traceroutes.

Full technical story at https://blog.habets.se/2022/05/Another-way-MPLS-breaks-trace...


Huh, I remember back in the day seeing weird latency cliffs like that when trying to troubleshoot latency issues when playing World of Warcraft. There always seemed to be one between basically any ISP I was connected to and the AT&T network blizzard was running their servers on.


The weird part is not any latency numbers (TTL exceeded is not handled by a router's fast path), but hops missing.

Hops marked with "* * *" do not count as "missing" here.


It looks like someone technical from your ISP also replied in the comments of your post and offered to set up a call to explain it to you. That is far better than you can expect from almost any other provider.


Yeah, long story short I had a call with him, and he agreed that's probably right but it's not a priority to fix.

I hope they'll fix it soon, but not if it delays IPv6.

If I had a choice of FTTP providers then IPv6 support would weigh really high on my choice, but only one has dug up the street.


Guess they want you to pay for their bundled phone plan instead. I’m guessing you can bring this to their attention and get some boilerplate response containing words like “abuse” and “safety”. Prognosis: This will go to court on common carrier terms and the block will be lifted in 3-4 years.


>> Guess they want you to pay for their bundled phone plan instead.

I think you are right. But I am waaaay to cheap for that. I'm using Twilio on some Raspberry Pi's with some software I wrote myself. For 3 phone numbers, I'm spending like $10 a month total.


My call quality also seems better since I've switched on the VPN. I do not have numerical proof of this, but it sure seems like my voice calls are crystal clear now.


My guess is Spectrum has been rate limiting port 5060 for a while, and finally just turned it off.

Nice.


With standard SIP implementations port 5060 is used for signaling and RTP for the actual media uses different (negotiated) ports.

Rate limiting 5060 wouldn’t have any impact on call quality.


FWIW, when I lived in Seattle I found that Lumen's DSL service blocked it as well. It wasn't an obvious block, though. It was either some DPI or size-based filtering. I wrote it up here for posterity:

https://blog.prolixium.com/2021/01/23/does-centurylink-dsl-b...

It worked just fine through Comcast's Xfinity service (although at the time, that service had other critical issues for me..) and I have no problem now with Verizon Fios.


It looks like port 5060 is becoming less common on their networks:

https://trends.shodan.io/search?query=port%3A5060+org%3Achar...


Fuck spectrum. They’re the worst. Drop them for a better carrier.

A critical service is nonfunctional. You should not have to VPN for your internet service to work. I can’t believe I even have to say that.


Use a session border controller if possible to get around the port blocking.


Can you use port 5061?


Excellent question. I will try that tomorrow morning and report back.


5061/tcp is preferrable. It also works with TLS.


Are they also blocking 5061 SIP-TLS?


Sue them into the ground


They'll just change names again, so your suit will be for a new dead company




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: