Ghost calls — silent calls from numbers like “100” or “1000” — typically result from SIP port scanning. This article explains how they occur and how to prevent them.
How ghost calls work
Ghost calls are generated by SIPvicious, a tool originally designed as an inventory tool for IT administrators to audit SIP devices. It sends SIP INVITE messages to your SIP port (5060) to scan for vulnerable PBX systems.
When a vulnerable PBX is found, the tool can be used maliciously to route calls through the compromised system. However, when the same INVITE reaches an IP phone, it generates a ghost call that rings with silence at pickup. While annoying, ghost calls on properly configured systems are generally harmless and do not result in financial loss.
Prevention strategies
You can reduce or eliminate ghost calls using the following approaches:
- Blacklist offending IPs: Use your firewall to blacklist the IP ranges generating the ghost calls.
- Restrict SIP port access: Limit traffic on port 5060 to our public voice proxy only: 103.55.116.0/24. Deny all other traffic to this port.
- Filter port-forwarded traffic: If you use port forwarding, add filtering rules for port 5060 at your firewall.
- Change your SIP port: As a last resort, change your SIP port from 5060 to an alternative port such as 50600.
Yealink phone configuration
Yealink phones provisioned through our Device Provisioning service are configured by default to block IP ghost calls and SIPvicious-style attacks. If you need to manually configure your Yealink phone, follow these steps:
- Download the latest firmware for your handset from Yealink support.
- Upgrade the firmware: Settings > Upgrade > Select and upgrade the firmware.
- Disable IP calls: Features > General Information > Set Allow IP Call to DISABLED. Click Confirm.
- Enable SIP trust: Account > Advanced. Set Accept SIP Trust Server Only to ENABLED. This ensures your phone only accepts INVITE requests from our SIP server.