Odd UDP Traffic - VoIP Server

[deftx]

Not sure what's going on here, but I can't seem to figure out which process is generating this traffic.

Couple of questions:

1. How do I trace the process generating the traffic
2. What IS the traffic?

Pay special attention to the ALTER.NET traffic. Not sure what all of this is.

12:47:00.421867 IP 200.4-0.PVG5.LAX9.ALTER.NET.53094 > 192.168.1.15.10706: UDP, length 32
12:47:00.421982 IP 192.168.1.15.10706 > 200.4-0.PVG5.LAX9.ALTER.NET.53094: UDP, length 32
12:47:00.422560 IP 100.4-1.PVG0.LAX9.ALTER.NET.56396 > 192.168.1.15.10076: UDP, length 32
12:47:00.422650 IP 100.4-1.PVG0.LAX9.ALTER.NET.56394 > 192.168.1.15.18794: UDP, length 32
12:47:00.422766 IP 192.168.1.15.18794 > 100.4-1.PVG0.LAX9.ALTER.NET.56394: UDP, length 32
12:47:00.424266 IP 192.168.1.15.16694 > 100.4-1.PVG0.LAX9.ALTER.NET.55556: UDP, length 32
12:47:00.425478 IP 192.168.1.15.16592 > 200.4-0.PVG4.LAX9.ALTER.NET.55324: UDP, length 32
12:47:00.425596 IP 192.168.1.111.exlm-agent > 192.168.1.15.14880: UDP, length 172
12:47:00.425721 IP 192.168.1.15.15106 > 200.4-1.PVG0.LAX9.ALTER.NET.55052: UDP, length 32
12:47:00.427315 IP 200.4-1.PVG0.LAX9.ALTER.NET.55052 > 192.168.1.15.15106: UDP, length 32
12:47:00.427419 IP 192.168.1.15.10442 > 199.173.80.142.54496: UDP, length 32
12:47:00.428473 IP 199.173.80.142.54496 > 192.168.1.15.10442: UDP, length 32
12:47:00.429648 IP 100.4-1.PVG0.LAX9.ALTER.NET.56112 > 192.168.1.15.18168: UDP, length 32
12:47:00.429763 IP 192.168.1.15.18168 > 100.4-1.PVG0.LAX9.ALTER.NET.56112: UDP, length 32
12:47:00.435524 IP 100.4-1.PVG0.LAX9.ALTER.NET.56418 > 192.168.1.15.13938: UDP, length 32
12:47:00.435643 IP 192.168.1.15.13938 > 100.4-1.PVG0.LAX9.ALTER.NET.56418: UDP, length 32
12:47:00.437909 IP 192.168.1.15.10076 > 100.4-1.PVG0.LAX9.ALTER.NET.56396: UDP, length 32
12:47:00.438547 IP 100.4-1.PVG0.LAX9.ALTER.NET.55556 > 192.168.1.15.16694: UDP, length 32

Any suggestions/ideas appreciated. I can provide a tcpdump of the traffic itself if necessary.

Rob Vella
Total Technology

[unspawn]

How do I trace the process generating the traffic

Either iptables -j LOG rules using the "owner" module or 'netstat -anupe' or 'lsof -Pwlni udp'. Or use your packet capture and correlate timestamps with your VoIP logs. Since logging in Linux isn't a single application thing and some tools only provide PID and process nfo log correlation is important to get the big picture. The more you log the more you can trace back.

What IS the traffic?

(It would be good to know if you've read up on general VoIP attacks and security measures. If you didn't then please do.) Wireshark has a usable GUI with easy filtering and dissectors for a lot of protocols. Snort has VoIP rules (might search the 'net for more). *Probably superfluous to say but working with saved packet captures is best done on a separate workstation as not to hog CPU and disturb server processes and such.

HTH

[deftx]

I have analyzed it with WireShark. It just says "UDP datagram" -- nothing informative. Asterisk seems to be the source of the UDP traffic. I blocked the ports and calls seem to be silent. What I can't figure out is why ALTER.NET is responsible for critical functions of my VoIP system? I suspect it might have something to do with NAT traversal because it is in a private network.

RTP debug on Asterisk shows it's sending and receiving the traffic to those IPs. Again why is this ALTER.NET server responsible for critical functions? No SIP provider I use is in this IP range.

Odd.

[deftx]

Nevermind. I figured out that my SIP provider's RTP host is one of those IPs. It sends that IP in the SIP packet as a reply address for RTP info.

Thanks.