cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4320
Views
0
Helpful
5
Replies

SIP trunk hacking

oldcreek12
Level 1
Level 1

Hi,

I have the following setup:

CUCM---SIP---CUBE---SIP--ITSP

SIP are configured between CUCM-CUBE and CUBE--ITSP SIP server, both CUCM and CUBE are behind corp firewall using private IP addresses, on firewall we have a static mapping to CUBE and we only allow SIP traffic and audio UDP traffic come in, outbound long distance calls are routed on CUCM to CUBE and then to ITSP, everything worked fine until today our ITSP shut us down because excessive International calls, we were obviously being hacked. Since syslog does not log SIP level information, I am in the dark on how to proceed to troubleshoot.

I am wondering how can anybody hack into our SIP lines and make international calls? the ITSP only accepts our source IP for SIP signaling, if somebody spoof our legitimate IP then how can they get return traffic from ITSP? any pointers will be greately appreciated.

5 Replies 5

oldcreek12
Level 1
Level 1

It turned out that our CUBE accepts client register from any IP from Internet, I am just puzzled that I don't have any account/password/username configured on this CUBE, how was it possible a SIP client from Internet can register? I need to open SIP ports on firewall for inbound calling.

As mentioned in anothers thread. In IOS, registration is not a requisite for placing calls. You must use an access-list to limit on IP address you are allowing.

did you ever solve your sip trunk hack? If so could you please say what did the trick? Someone is constantly hacking my sip trunk (four times now) and I'm at my wits end trying to resolve this. Did you find the access-list mentioned by p.bevilacqua? Thanks for any advice.

Yes, the problem was resolved, just configure an ACL that only acce

pts SIP INVITES from your ITSP's softswitch and

in my case from CUCM and deny everything else.

thanks for this info. I'm not using a softswitch, I'm just running cme from inside the router for a sip trunk and that's it. Is there any chance you could post the acl you used in your config? As a newbie I'm struggling with acl config to stop this toll fraud and maybe looking at a successful acl will help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: