[Linphone-users] Strange packets & forged incoming calls

[Pierre Fortin]

Hi,

New to linphone, and I'm wondering why I'm seeing packets going to
various sites (see below).  When I first start linphone, after initial
registration, there is no network traffic.   At some point linphone
starts sending out[1] packets to a remote site every 10 seconds. Over
time, another remote site is added to the list; then later, another,
etc...

As I write this, the list of remote sites has grown to 18.,, Then,
after some time, I start getting calls with forged origins -- they appear
as a call from address@hidden  

I previously posted a way to block these bogus calls; but it's beginning
to appear that it may become a whack-a-mole solution.  The most recent
bogus calls are coming in at a rate of one a minute...  

Anyone have an idea what could be going on?  

Thanks,
Pierre

[1] I don't believe my system is responding to external stimulus every 10
seconds because the below list of packets is sent within <1 ms, always in
the same order.

[2] So far, NNNN has been 1101, 1001 & 2022.

The packets only differ in:
- destination IP & port
- checksums
- ID

The packets look like this:
Frame 1: 46 bytes on wire (368 bits), 46 bytes captured (368 bits) on
interface 0 Interface id: 0 (wlp3s0)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jan 28, 2016 18:48:56.790976833 EST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1454024936.790976833 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 46 bytes (368 bits)
    Capture Length: 46 bytes (368 bits)
    [Frame is marked: True]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:data]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: IntelCor_ad:3b:71 (a0:a8:cd:ad:3b:71), Dst:
BuffaloI_4c:b7:3c (dc:fb:02:4c:b7:3c) Destination: BuffaloI_4c:b7:3c
(dc:fb:02:4c:b7:3c) Address: BuffaloI_4c:b7:3c (dc:fb:02:4c:b7:3c)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default) .... ...0 .... .... .... .... = IG bit: Individual
address (unicast) Source: IntelCor_ad:3b:71 (a0:a8:cd:ad:3b:71)
        Address: IntelCor_ad:3b:71 (a0:a8:cd:ad:3b:71)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default) .... ...0 .... .... .... .... = IG bit: Individual
address (unicast) Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.14, Dst: 188.138.118.21
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes
    Differentiated Services Field: 0x68 (DSCP: AF31, ECN: Not-ECT)
        0110 10.. = Differentiated Services Codepoint: Assured Forwarding
31 (26) .... ..00 = Explicit Congestion Notification: Not ECN-Capable
Transport (0) Total Length: 32
    Identification: 0x7864 (30820)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0xcdaa [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 192.168.1.14
    Destination: 188.138.118.21
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 5060 (5060), Dst Port: 5110 (5110)
    Source Port: 5060
    Destination Port: 5110  <== different per site
    Length: 12
    Checksum: 0xc9b1 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    [Stream index: 0]
Data (4 bytes)
    Data: 0d0a0d0a
    [Length: 4]

0000  dc fb 02 4c b7 3c a0 a8 cd ad 3b 71 08 00 45 68   ...L.<....;q..Eh
0010  00 20 78 64 40 00 40 11 cd aa c0 a8 01 0e bc 8a   . 
address@hidden@.........
0020  76 15 13 c4 13 f6 00 0c c9 b1 0d 0a 0d 0a         v.............

The remote IPs at the moment are:

188.138.118.21 loft7836.serverprofi24.com
208.73.206.244 admin2.tusvendedores.com.mx
69.30.221.162 drylimn.com
212.83.188.161 212-83-188-161.rev.poneytelecom.eu
188.138.102.149 atlantic2017.serverprofi24.eu
209.239.112.201 eagle447.startdedicated.com
173.208.176.26 unknown
108.59.4.197 unknown
217.79.182.144 y125.yellow.servdiscount-customer.com
108.59.4.195 unknown
206.221.182.58 hosted-by.reliablesite.net
88.150.253.47 h88-150-253-47.host.redstation.co.uk
5.79.69.72 unknown
163.172.6.146 163-172-6-146.rev.poneytelecom.eu
208.73.206.244 admin2.tusvendedores.com.mx
89.163.134.51 unknown
74.91.17.34 unknown
188.138.57.238 loft11186.serverprofi24.com