SIP trunk hacking

Unanswered Question
Jan 28th, 2010
User Badges:


I have the following setup:


SIP are configured between CUCM-CUBE and CUBE--ITSP SIP server, both CUCM and CUBE are behind corp firewall using private IP addresses, on firewall we have a static mapping to CUBE and we only allow SIP traffic and audio UDP traffic come in, outbound long distance calls are routed on CUCM to CUBE and then to ITSP, everything worked fine until today our ITSP shut us down because excessive International calls, we were obviously being hacked. Since syslog does not log SIP level information, I am in the dark on how to proceed to troubleshoot.

I am wondering how can anybody hack into our SIP lines and make international calls? the ITSP only accepts our source IP for SIP signaling, if somebody spoof our legitimate IP then how can they get return traffic from ITSP? any pointers will be greately appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jiangu Fri, 01/29/2010 - 17:26
User Badges:

It turned out that our CUBE accepts client register from any IP from Internet, I am just puzzled that I don't have any account/password/username configured on this CUBE, how was it possible a SIP client from Internet can register? I need to open SIP ports on firewall for inbound calling.

paolo bevilacqua Mon, 02/01/2010 - 10:15
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

As mentioned in anothers thread. In IOS, registration is not a requisite for placing calls. You must use an access-list to limit on IP address you are allowing.

tonyspcrepairs Thu, 06/24/2010 - 15:23
User Badges:

did you ever solve your sip trunk hack? If so could you please say what did the trick? Someone is constantly hacking my sip trunk (four times now) and I'm at my wits end trying to resolve this. Did you find the access-list mentioned by p.bevilacqua? Thanks for any advice.

jiangu Thu, 06/24/2010 - 16:19
User Badges:

Yes, the problem was resolved, just configure an ACL that only acce

pts SIP INVITES from your ITSP's softswitch and

in my case from CUCM and deny everything else.

tonyspcrepairs Sat, 06/26/2010 - 12:19
User Badges:

thanks for this info. I'm not using a softswitch, I'm just running cme from inside the router for a sip trunk and that's it. Is there any chance you could post the acl you used in your config? As a newbie I'm struggling with acl config to stop this toll fraud and maybe looking at a successful acl will help.


This Discussion