Tell HN: Spectrum is blocking TCP/UDP 5060 at my home

Glad this is at the top. The linked Reddit thread demonstrates a common but fundamental misunderstanding of SIP.

Port 5060 is used for call control and is very low traffic. At most you may have timed OPTIONS messages but a “standard” SIP deployment is at most a handful of (small) packets per second per call setup and tear down with occasional REGISTER messages on an interval measured in seconds. Very low traffic and very low bandwidth. Obviously with more devices you get multiples of these numbers but still very low. 15 kbps is a pretty significant amount of SIP traffic.

This is most likely targeting VoIP abuse from tools like sipvicious. In a nutshell they scan the internet looking for open SIP ports. They then try to brute force credentials to place calls.

Why? Toll fraud. The scam works like this:

1) Setup an international toll charge number in some country. Let’s say it charges $5/min. For those that don’t know calls to these numbers get charged to the person placing the call from their phone company and end up on their phone bill with the amount getting paid out (less a cut) to the operator of the number.

2) Compromise a bunch of random exposed SIP implementations on the internet.

3) Place calls to your (or a partners) toll number.

4) Get paid from the toll charges.

5) Some time later the owner of the compromised system gets a huge bill depending on fraud detection systems at the carrier, how fast you could pump calls, etc.

It’s gotten so bad many VoIP providers block international calls by default and now (apparently) might be blocking 5060 traffic in some way.

This isn’t that different to what’s happened with SMTP over the years. To combat spam many last mile ISPs started blocking outbound TCP port 25 so compromised machines couldn’t directly send spam. This is where port 465/587 for SMTP “submission” came from.

Ah, yes. The classic "all our customers are morons" approach, with no opt-out for those 0.1% who, in fact, are not. Very typical among ISPs/Telcos.

Where I am, we used to have a different, "nerdy" ISP [0], where customer was allowed to bring their own modem; they also provided real IPv4/v6 dual-stack since forever, easy to request a /29, tech-support that's realistic to reach, and staffed with people who know what they are talking about, no bulk-firewalling port-25, etc... All for a modest 2x price increase over market average. Alas, they're out of business now.

[0] https://en.wikipedia.org/wiki/Xs4all

Yeah, running SIP on a standard port without some serious firewall based rate limiting for unknown traffic is almost impossible.

I tried running a PBX on UDP 5060 and got >4GiB of logged register attempts in a few hours after opening the port, while asterisk was running at 100% CPU just rejecting the registration attempts the whole time.

It's insane compared to any other public service I run.

That doesn't make what they're doing okay. To see why, imagine that they instead blocked access to all email services except their own, since spam is a big problem.

It doesn't fit. The reddit thread describes inbound traffic being rate limited. But SIP abuse would be outbound traffic.

You mean mass spam calling? Or what kind of abuse?

Saw your comment, went to my ATT internet account, and just upgraded from 1k to 5k! I’m so happy, thanks!

So, interesting stuff! I had my installation appointment, the guy came out and proceeded to tell me that the 5k plan would be useless to me. I asked why - apparently switches have not progressed at the same speed. Latest MBPs for example only support up to ~1300Mbps via wifi (however could support up to 10Gb bandwidth via Ethernet.) Most of my devices I use via wifi anyways. I have 1 Pi plugged in. I guess most hardware only has a 1k switch in it these days?

With that new info, I decided to stick to my 1k plan until more hardware catches up.

From the wikipedia net neutrality page it looks like the FCC's stance has historically depended on the administration in power. There was the much celebrated 2015 change to title II, which was undone in 2017 i.e. the start of the ajit pai era. Now he is finally gone, but not before casting his vote in a 3-2 decision in 2020 to keep net neutrality dismantled. The new chair is pro-nn and working to undo the damage but it takes time.

Carriers do all kinds of filtering. They've blocked mail, file transfer, network discovery, and others for a long time. cgNAT blocks half of everything.

The terms of service may prohibit running a "service" or "server", for some definition, on a residential contract.

Maybe they're forwarding the port to an internal service running on the router, instead of blocking it. At the very least, it would be nice if they let you turn it off.

Huh, I remember back in the day seeing weird latency cliffs like that when trying to troubleshoot latency issues when playing World of Warcraft. There always seemed to be one between basically any ISP I was connected to and the AT&T network blizzard was running their servers on.

It looks like someone technical from your ISP also replied in the comments of your post and offered to set up a call to explain it to you. That is far better than you can expect from almost any other provider.

>> Guess they want you to pay for their bundled phone plan instead.

I think you are right. But I am waaaay to cheap for that. I'm using Twilio on some Raspberry Pi's with some software I wrote myself. For 3 phone numbers, I'm spending like $10 a month total.

My guess is Spectrum has been rate limiting port 5060 for a while, and finally just turned it off.

Nice.

Excellent question. I will try that tomorrow morning and report back.

They'll just change names again, so your suit will be for a new dead company