It can be annoying when a customer gets "ghost" calls, where the phone rings and there is nobody on the other side.

The answer is usually that the customer has become a victim of SPIT (yes, SPIT  a.k.a Spam over Internet Telephony).  In the VoIP world, SPIT is pretty common. Nefarious types looking to commit toll fraud will probe random IP addresses with a SIP dialer looking for a reply to a SIP INVITE.  When they find one, they will try to break into the web UI of the phone to setup call forwarding to expensive destinations.  When configured with default settings, most SIP phones will send a response to any INVITE they receive.  This has the unfortunate effect of alerting the hackers to the presence of a SIP end-point and, annoyingly for the user,  ringing the phone.

Unfortunately, incidences of this behavior have become more common since the release of the SIP scanning tool called SIP Vicious.   To confirm that your end user is being scanned, check the PBX call history.  If there are no call history logs on the switch, then you can be relatively certain that the calls are originating from a scanner.

Remedial Options

Change the SIP Listening Port

Since most SIP scanners focus on sending SIP INVITE messages to port 5060, one way to avoid these calls is to change the SIP listening port of the phones.  This can be done with overrides.  This method will not work if the scanner is walking every port.

#e.g. account.1.sip_listen_port="5070"
Yealink: sip.listen_port="(port)" 
Grandstream:  p40="port"

Block SIP Packets at the Firewall 

Another option is to create a firewall rule that blocks all inbound SIP packets except those that originate from the SIP server's IP addresses.

Disable IP Calls

Some devices allow you to disable IP Calls (ie.  you can force the phone to only accept inbound calls from the server it is registered to).  Sample override settings are below.

#Polycom
voIpProt.SIP.requestValidation.1.method="source"
voIpProt.SIP.requestValidation.1.request="INVITE"
 
#Yealink V73 Firmware and Below
features.direct_ip_call_enable="0"
account.1.sip_trust_ctrl="1"
 
#Yealink V80 Firmware Plus
features.direct_ip_call_enable="0"
sip.trust_ctrl="1"

See also this Polycom Article for more details.  

Grandstream phones

In the Grandstream phones, you can deploy a couple of features to help block "anonymous" callers as well.

  • Check SIP User ID for Incoming Invite ( option )
  • Accept Incoming SIP from Proxy Only ( option )
  • Anonymous call rejection ( option )