01-28-2010 04:23 PM - edited 03-17-2019 09:55 PM
Hi,
I have the following setup:
CUCM---SIP---CUBE---SIP--ITSP
SIP are configured between CUCM-CUBE and CUBE--ITSP SIP server, both CUCM and CUBE are behind corp firewall using private IP addresses, on firewall we have a static mapping to CUBE and we only allow SIP traffic and audio UDP traffic come in, outbound long distance calls are routed on CUCM to CUBE and then to ITSP, everything worked fine until today our ITSP shut us down because excessive International calls, we were obviously being hacked. Since syslog does not log SIP level information, I am in the dark on how to proceed to troubleshoot.
I am wondering how can anybody hack into our SIP lines and make international calls? the ITSP only accepts our source IP for SIP signaling, if somebody spoof our legitimate IP then how can they get return traffic from ITSP? any pointers will be greately appreciated.
01-29-2010 05:26 PM
It turned out that our CUBE accepts client register from any IP from Internet, I am just puzzled that I don't have any account/password/username configured on this CUBE, how was it possible a SIP client from Internet can register? I need to open SIP ports on firewall for inbound calling.
02-01-2010 10:15 AM
As mentioned in anothers thread. In IOS, registration is not a requisite for placing calls. You must use an access-list to limit on IP address you are allowing.
06-24-2010 03:23 PM
did you ever solve your sip trunk hack? If so could you please say what did the trick? Someone is constantly hacking my sip trunk (four times now) and I'm at my wits end trying to resolve this. Did you find the access-list mentioned by p.bevilacqua? Thanks for any advice.
06-24-2010 04:19 PM
Yes, the problem was resolved, just configure an ACL that only acce
pts SIP INVITES from your ITSP's softswitch and
in my case from CUCM and deny everything else.
06-26-2010 12:19 PM
thanks for this info. I'm not using a softswitch, I'm just running cme from inside the router for a sip trunk and that's it. Is there any chance you could post the acl you used in your config? As a newbie I'm struggling with acl config to stop this toll fraud and maybe looking at a successful acl will help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: