[HN Gopher] Tell HN: Spectrum is blocking TCP/UDP 5060 at my home
___________________________________________________________________
Tell HN: Spectrum is blocking TCP/UDP 5060 at my home
For several years, I've run 3 VOIP phones from my house. About a
week ago they stopped working. SIP REGISTER started failing. Turns
out Spectrum now blocks TCP/UDP port 5060. My workaround is to use
a VPN. After that, everything is fine. This reddit thread https://
www.reddit.com/r/networking/comments/t8nulq/spectrum_is_rate_limiti
ng_voipsip_traffic_port/ suggests Spectrum was rate limiting 5060
on 300mbps plans, but not on the 100mbps plans. I have the 100mbps
plan, and it is definitely affected now. So if you are in SoCal,
using Spectrum, and your VOIP phones suddenly stopped working in
the last week or so, maybe this will help you.
Author : another_comment
Score : 115 points
Date : 2022-10-30 16:30 UTC (6 hours ago)
| gsich wrote:
| 5061/tcp is preferrable. It also works with TLS.
| thomashabets2 wrote:
| My ISP breaks traceroute _outside_ of the network. _Their_
| transit is cut out of my traceroutes.
|
| Full technical story at https://blog.habets.se/2022/05/Another-
| way-MPLS-breaks-trace...
| ShroudedNight wrote:
| Huh, I remember back in the day seeing weird latency cliffs
| like that when trying to troubleshoot latency issues when
| playing World of Warcraft. There always seemed to be one
| between basically any ISP I was connected to and the AT&T
| network blizzard was running their servers on.
| Kikawala wrote:
| Are they also blocking 5061 SIP-TLS?
| matt123456789 wrote:
| Guess they want you to pay for their bundled phone plan instead.
| I'm guessing you can bring this to their attention and get some
| boilerplate response containing words like "abuse" and "safety".
| Prognosis: This will go to court on common carrier terms and the
| block will be lifted in 3-4 years.
| another_comment wrote:
| >> Guess they want you to pay for their bundled phone plan
| instead.
|
| I think you are right. But I am waaaay to cheap for that. I'm
| using Twilio on some Raspberry Pi's with some software I wrote
| myself. For 3 phone numbers, I'm spending like $10 a month
| total.
| jeroenhd wrote:
| Is that even legal? Blocking network traffic because it competes
| with their offering?
| yummypaint wrote:
| From the wikipedia net neutrality page it looks like the FCC's
| stance has historically depended on the administration in
| power. There was the much celebrated 2015 change to title II,
| which was undone in 2017 i.e. the start of the ajit pai era.
| Now he is finally gone, but not before casting his vote in a
| 3-2 decision in 2020 to keep net neutrality dismantled. The new
| chair is pro-nn and working to undo the damage but it takes
| time.
| encryptluks2 wrote:
| Lol... I laugh everytime I see Republicans undo things in a
| matter of weeks and then 3 years later Democrats are like..
| we wish we could do something but it takes time.
| calibas wrote:
| Not surprising, the US telecommunications industry spends
| over $100 million per year on lobbying. They must be
| getting something in return.
|
| https://www.opensecrets.org/industries/lobbying.php?cycle=A
| l...
| tchaffee wrote:
| Republicans don't undo things in a matter of weeks.
| Obamacare is one example. Roe v. Wade is another.
| encryptluks2 wrote:
| It takes longer than weeks to plan, but when they enact
| their plans it doesn't take long. Democrats always play
| the game of... had we only known they could do that, now
| our hands our tied. Case in point is when they authorized
| the COVID-19 pandemic relief and then Trump fired the
| single person responsible for preventing fraud, and
| Democrats were like... hmm, we did nazi that coming.
| tchaffee wrote:
| You're cherry picking data to confirm a political bias.
| I'm not interested in trading counter examples, but if
| you could provide a scientific source that shows the
| pattern, that might be actually convincing.
| zbrozek wrote:
| Carriers do all kinds of filtering. They've blocked mail, file
| transfer, network discovery, and others for a long time. cgNAT
| blocks half of everything.
| folkhack wrote:
| Yep - best practice is to always tunnel, or reverse proxy out
| on a random port if you're self-hosting _anything_. Have had
| many providers over the years and have anecdotally found that
| experience to be very true.
| zbrozek wrote:
| Yeah, in the past I tunneled everything through a VPS.
| These days I no longer bother, but I'm also getting service
| via a small ISP. It's a co-op and I got voted onto the
| board, so I have reasonable confidence against shenanigans.
| folkhack wrote:
| Yep - VPS tunneling usually through nginx is how I get
| around it for my use cases.
|
| Cheers on the co-op ISP - that's outstanding and I wish
| more places did that. In so many ways that's living the
| dream!
| Brian_K_White wrote:
| I've certainly dreamed of a co-op / credit union isp.
|
| I think in absolute numbers there are a lot of people who
| would value that, but only one or two people in any given
| area, so no way to service them. (Not considering
| sattelite for both bandwidth and latency reasons.)
|
| A long time ago I was in some newsgroup or irc channnel
| and someone from Russia I think it was, was just casually
| describing their internet connection like it was normal
| but it was blowing my mind, which was basically some kind
| of totally home grown adhoc very local lash-up where they
| had 100M cat5 ethernet right to their appartment and
| strung between a few neighboring buildings. It wasn't
| clear who operated or provided the uplink but the
| switches and last bits of cat5 were just done by the
| local residents. No real "isp" like a US individual
| subscribing directly and individually from Comcast etc.
| Presumably there was some sort of co-op arrangement to
| share the cost of the actual shared connection.
|
| I don't know at the time the idea of just running your
| own cat5 among a neighborhoods worth of buildings and
| getting way way WAY better service than what I could get
| paying even hundreds of $ as an individual residential
| consumer just blew my mind. Surely in the US some code
| inspector or other government official would come along
| and declare the cables illegal on some pretext or
| another, and surely the isp would call it some sort of
| theft or abuse.
| bombcar wrote:
| You can do something similar in the US - many condos have
| it setup where they technically are an ISP and pay for
| transit.
|
| Usually it's not worth it because you end up doing end-
| user support for every neighbor and people are dumb as
| rocks. But you'd be surprised how cheap a "very fast"
| transit internet connection can be.
| chihuahua wrote:
| I agree with what you're saying about support. I get
| nauseous just thinking about the number of people who
| call their ISP just because their laptop has a flaky Wifi
| module, and the thought of having to deal with that.
| jmole wrote:
| Maybe they're forwarding the port to an internal service
| running on the router, instead of blocking it. At the very
| least, it would be nice if they let you turn it off.
| throw0101c wrote:
| The terms of service may prohibit running a "service" or
| "server", for some definition, on a residential contract.
| StayTrue wrote:
| Can you use port 5061?
| relentlesshack wrote:
| Use a session border controller if possible to get around the
| port blocking.
| [deleted]
| animitronix wrote:
| Sue them into the ground
| dylan604 wrote:
| They'll just change names again, so your suit will be for a new
| dead company
| achillean wrote:
| It looks like port 5060 is becoming less common on their
| networks:
|
| https://trends.shodan.io/search?query=port%3A5060+org%3Achar...
| _wldu wrote:
| They are probably trying to reduce SIP abuse. It's a big problem.
| 3np wrote:
| You mean mass spam calling? Or what kind of abuse?
| kkielhofner wrote:
| Glad this is at the top. The linked Reddit thread demonstrates
| a common but fundamental misunderstanding of SIP.
|
| Port 5060 is used for call control and is very low traffic. At
| most you may have timed OPTIONS messages but a "standard" SIP
| deployment is at most a handful of (small) packets per second
| per call setup and tear down with occasional REGISTER messages
| on an interval measured in seconds. Very low traffic and very
| low bandwidth. Obviously with more devices you get multiples of
| these numbers but still very low. 15 kbps is a pretty
| significant amount of SIP traffic.
|
| This is most likely targeting VoIP abuse from tools like
| sipvicious. In a nutshell they scan the internet looking for
| open SIP ports. They then try to brute force credentials to
| place calls.
|
| Why? Toll fraud. The scam works like this:
|
| 1) Setup an international toll charge number in some country.
| Let's say it charges $5/min. For those that don't know calls to
| these numbers get charged to the person placing the call from
| their phone company and end up on their phone bill with the
| amount getting paid out (less a cut) to the operator of the
| number.
|
| 2) Compromise a bunch of random exposed SIP implementations on
| the internet.
|
| 3) Place calls to your (or a partners) toll number.
|
| 4) Get paid from the toll charges.
|
| 5) Some time later the owner of the compromised system gets a
| huge bill depending on fraud detection systems at the carrier,
| how fast you could pump calls, etc.
|
| It's gotten so bad many VoIP providers block international
| calls by default and now (apparently) might be blocking 5060
| traffic in some way.
|
| This isn't that different to what's happened with SMTP over the
| years. To combat spam many last mile ISPs started blocking
| outbound TCP port 25 so compromised machines couldn't directly
| send spam. This is where port 465/587 for SMTP "submission"
| came from.
| devwastaken wrote:
| Not the ISP's responsibility.
| robocat wrote:
| However the ISP will get blamed by some victims.
| kkielhofner wrote:
| I'd argue that a reasonable network limitation with a
| minimal blast ratio is responsible. For example, I use SIP
| over 5060 on Spectrum without issue.
|
| Not having their network used by bots to inflict untold
| financial damage is being responsible.
|
| Would you argue that implementation of BCP38 to cut down on
| bots used in DDoS attacks is "not the ISP's
| responsibility"?
|
| Plus, they get the abuse reports from the victims and I'm
| certain this traffic is a ToS violation for their customers
| and certainly against the CFAA and numerous other laws for
| the resulting theft and fraud it causes.
| kevin_thibedeau wrote:
| Block by default is fine but customers should be
| empowered to disable them if they need the IP service
| they're paying for.
| [deleted]
| TheWoodsy wrote:
| Perfect example of one of the many SIP abuses I have
| personally seen here in Australia.
|
| Don't get me started on the bajillion 3G+ modems here with
| default passwords.
| nousermane wrote:
| Ah, yes. The classic "all our customers are morons" approach,
| with no opt-out for those 0.1% who, in fact, are not. Very
| typical among ISPs/Telcos.
|
| Where I am, we used to have a different, "nerdy" ISP [0], where
| customer was allowed to bring their own modem; they also
| provided real IPv4/v6 dual-stack since forever, easy to request
| a /29, tech-support that's realistic to reach, and staffed with
| people who know what they are talking about, no bulk-
| firewalling port-25, etc... All for a modest 2x price increase
| over market average. Alas, they're out of business now.
|
| [0] https://en.wikipedia.org/wiki/Xs4all
| water8 wrote:
| techsupporter wrote:
| > Where I am, we used to have a different, "nerdy" ISP
| [Xs4all]
|
| I remember Xs4all, sorry to hear they went under.
|
| I also miss the brief moment when we had line sharing on
| copper telco networks in the United States. Most people were
| perfectly happy with the standard offerings from their local
| telco, but those of us who wanted more could connect with an
| ISP who offered service via a dry pair DSL connection. I
| loved my time on Speakeasy, for example.
|
| I remember all of the flaws with the line sharing system,
| too, but it actually worked for the short time we had it, in
| spite of the problems. Asking a niche ISP to build its own
| facilities-based network is an exercise in futility for many
| deployments. Of course, cities or counties or public utility
| districts could do it but the incumbent providers don't like
| that.
| voidwtf wrote:
| We had a similar type of "tech" ISP in the USA with a lot
| of similar features called Speakeasy back in the early
| 2000s. You could get static ips easily, delegated control
| of your reverse dns upon request, they encouraged
| connection sharing by offering an additional email account
| and IP address for $6/mo and even had guides how to setup
| different SNAT and masquerading scenarios on Linux.
|
| They were so cool compared to the options from AT&T and
| Roadrunner. It was like an ISP run by enthusiasts, for
| enthusiasts. They ended up getting bought by Mindspring
| IIRC.
| kmeisthax wrote:
| The opt-out is buy business-class service[0].
|
| My guess is that the 2x price increase Xs4all was charging
| for their plan was a bridge too far for most customers. It's
| important to keep in mind that the vast majority of people
| rent their modem, don't know or care what a /29 is, and is
| calling tech support because the plug is loose or the modem
| needs a power cycle. Bulk-blocking SMTP happened because open
| ports are botnet ports, and the average customer does not
| know how to identify and shut down zombies on their network.
|
| [0] Assuming your provider isn't stupidly committed to "you
| can't have business class because you're in a residential
| area, WFH doesn't exist, and the zoning code is gospel, all
| hail Robert Moses"
| pixl97 wrote:
| Most of the time you can get around this by providing your
| own 'dumb' modem with no VOIP features on it. Quite often
| the control feature is on the firmware the ISP uploads to
| the modem.
| bombcar wrote:
| Even if the provider is stupid AF you can usually get
| around the residential restriction by _starting_ the
| discussion with the business side of the company; once the
| salesman has a nibble he 's not gonna cut you free if he
| can help it.
|
| And then get a 2 year term on whatever seems a "good deal"
| at the time (I had cable speeds and 5 IPs) and once that is
| up call them and "drop down" to whatever you actually
| _need_ (cable speeds and 1 IP) - you 'll find that at that
| point there will be various "packages" that were never
| advertised but the system is quite capable of supporting.
|
| If all else fails, find a company that works with the
| provider and offers service over their "last mile".
|
| You'll pay for all the above, but not as much as you might
| think, and business support is _actually good_ in many,
| many cases. Fabled evil Comcast rolled a truck twice until
| they tracked down a problem, at no charge.
| bitwize wrote:
| I _still_ get emails from Comcrap because once I had a
| business internet plan with them in a residential area --
| an apartment no less.
|
| When it comes to internet service, "giving a crap about the
| customer" is a premium add-on from Comcast, but once you
| commit to opening your wallet for that, they do deliver.
| voidwtf wrote:
| What Comcast did you do business with?
|
| Comcast doesn't give a crap about customers, full stop.
| Oh yes, they'll send "technicians" out 3 to 4 times a
| month to tell you everything tested perfectly. But get
| them to put a line monitor on your connection, provide
| them logs that you have over 5% packet loss that doesn't
| start until after the CMTS, and they'll get an "engineer"
| involved who will come out and leave some testing
| equipment which will confirm the issue. Over a year
| later, the issue will remain unresolved.
|
| My aunt bought a house where, at the best of times, her
| kids can finish a game with only a handful of
| disconnects. The other 20% of the time they can't even
| watch Netflix or streaming sports.
|
| They tried the "business connection" trick already, at a
| cost of $300 a month for 150mbps. That didn't improve
| anything.
|
| The "investigation" remains open, and the "engineer" just
| doesn't bother updating them anymore.
|
| My cousin went door-to-door only to discover the whole
| neighborhood is having the same types of issues. It's
| just the new normal.
| tgsovlerkhgsel wrote:
| IMO, if the ISP doesn't want to sell Internet access, they
| shouldn't be allowed to call it anything that could be
| mistaken by a consumer for Internet access.
|
| Trying to upcharge customers for what they were initially
| supposed to deliver should be considered fraud.
| RunSet wrote:
| > The opt-out is buy business-class service.
|
| Yes, punish the undesirable behavior with _more_ money.
| That will teach them a valuable lesson.
| Wowfunhappy wrote:
| Well, the charitable interpretation would be that you're
| paying for their extra support costs.
| [deleted]
| jorams wrote:
| It's worth noting that there's a spiritual successor to
| XS4ALL called Freedom[0].
|
| [0]: https://www.freedom.nl/
| Tijdreiziger wrote:
| And... they're still just as expensive as XS4ALL was. It's
| nice the option exists for people willing to pay the
| premium, though.
| josephcsible wrote:
| That doesn't make what they're doing okay. To see why, imagine
| that they instead blocked access to all email services except
| their own, since spam is a big problem.
| chrismeller wrote:
| I've come to treat residential ISPs as basically a transit
| for HTTP. As someone else in the thread pointed out that's
| all that 99.99% of customers care about, and unfortunately
| you're talking about a lowest common denominator here.
| Gordonjcp wrote:
| That's basically what domestic ISPs do. You will probably
| find that outbound traffic on port 25 is blocked, because all
| of your pwn3d inadequately-patched Windows machines are spam
| cannons now.
| bombcar wrote:
| Yep - some block it so hard you have to use other ports to
| communicate with _offsite_ mail servers (and why various
| other ports are found, now).
|
| Some ISPs will remove the block if you ask.
| megous wrote:
| Yeah, running SIP on a standard port without some serious
| firewall based rate limiting for unknown traffic is almost
| impossible.
|
| I tried running a PBX on UDP 5060 and got >4GiB of logged
| register attempts in a few hours after opening the port, while
| asterisk was running at 100% CPU just rejecting the
| registration attempts the whole time.
|
| It's insane compared to any other public service I run.
| another_comment wrote:
| I'm not running my own service. I'm using www.iptel.org, they
| offer a free sip account. Under the hood they use the
| Kamailio sip server. It is pretty darn reliable for a free
| service.
|
| Every few months iptel.org goes down for a few hours and I
| get 408 request timeouts. When Spectrum blocked 5060 UDP, I
| got 408 request timeouts for a week. It finally dawned on me
| to try my iptel account on my VPS and my SIP register
| succeeded. That's when I knew Spectrum had shut 5060 UDP. I
| tried 5060 TCP and that didn't work either.
| kkielhofner wrote:
| Have you tried fail2ban[0]? It can take log output from
| Asterisk and automatically insert iptables DROP rules for the
| source IP to block the traffic in the kernel. It still shows
| up on your interface and uses your bandwidth but dropping the
| packet in the kernel is much more efficient than Asterisk
| dealing with it (not to mention safer). It should also cause
| the bad actor to eventually give up on you and move
| elsewhere.
|
| [0] - https://github.com/fail2ban/fail2ban/
| [deleted]
| blablablub wrote:
| If you use fail2ban and asterisk you will probably have to
| rewrite the asterisk regex rules in fail2ban. Not a big
| thing, but it will probably not work out of the box.
| TheSwordsman wrote:
| At least where I am in SoCal, AT&T literally just deployed fiber
| with plans up to 5 gigabit/s. I'm so glad to be leaving Spectrum
| behind, because when moving here I never thought I'd have a cable
| Internet provider that made me miss Comcast...
|
| So hopefully you have some other options soon. :)
| throwaway413 wrote:
| Saw your comment, went to my ATT internet account, and just
| upgraded from 1k to 5k! I'm so happy, thanks!
| Prolixium wrote:
| FWIW, when I lived in Seattle I found that Lumen's DSL service
| blocked it as well. It wasn't an obvious block, though. It was
| either some DPI or size-based filtering. I wrote it up here for
| posterity:
|
| https://blog.prolixium.com/2021/01/23/does-centurylink-dsl-b...
|
| It worked just fine through Comcast's Xfinity service (although
| at the time, that service had other critical issues for me..) and
| I have no problem now with Verizon Fios.
| another_comment wrote:
| My call quality also seems better since I've switched on the VPN.
| I do not have numerical proof of this, but it sure seems like my
| voice calls are crystal clear now.
| another_comment wrote:
| My guess is Spectrum has been rate limiting port 5060 for a
| while, and finally just turned it off.
|
| Nice.
| kkielhofner wrote:
| With standard SIP implementations port 5060 is used for
| signaling and RTP for the actual media uses different
| (negotiated) ports.
|
| Rate limiting 5060 wouldn't have any impact on call quality.
___________________________________________________________________
(page generated 2022-10-30 23:01 UTC)