cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2205
Views
0
Helpful
4
Replies

PRI TOLL FRAUD

ciscodrew
Level 1
Level 1

Customer has a PRI with 12 channels. When originally setup, ISP said they would be sending four digits. Could not get it to work. Called Cisco Small business support and noticed that they were actually sending 8 digits. Ex phone number is 888-8888. ISP is sending 10108888.

We modified config to get it to work. However, after one month customer received a bill for $2000 for calls to Cuba.Obviously toll fraud.

ISP accused UC540 of not being secure.

My question is this:

Can there Cisco device that is handing off PRI be the weak link in toll fraud since they are sending 1010xxxx?

I will post config if needed, but wanted to see if they could be to blame?

Thanks

4 Replies 4

paolo bevilacqua
Hall of Fame
Hall of Fame

More likely you have been exploited via SIP, if your UC is on the Internet without protection.

.

That is primarily installer fault, because cisco has at least a bulletin in place that highlight the issue and give steps to prevent it.

http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note09186a00809dc487.shtml

Steven Holl
Cisco Employee
Cisco Employee

Securing a gateway from untrusted call sources is no different from securing a router from  untrusted traffic.  Your router is likely allowing SIP or H323 traffic  in an interface with a public interface, and it shouldn't be.  Keep in  mind that if you have CUE, you are running a SIP listener on the box,  and SIP will listen on all interfaces unless you configure a bind.  H323  will always listen on all interfaces, regardless of bind.  You should  always only allow TCP/1720 and TCP/UDP/5060 from known trusted sources  on any WAN interface with a public IP.

Also, this behavior is improved starting with 15.1(2)T to prevent toll fraud scenarios out-of-the-box:

https://supportforums.cisco.com/docs/DOC-12228

-Steve

Keep in  mind that if you have CUE, you are running a SIP listener on the box.

Nitpick: even if you don't have CUE.

Right.  Anytime you have a SIP dial-peer, SIP listener is enabled.  Anytime you have an h323 dial-peer H323 listener is enabled.  Exceptions to this are that the listeners are both on by default for all code with a voice feature set, when running a release before this fix:

CSCsb25337
unnecessary tcp ports opened in default router config

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: