Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CME is being attacked

Hello,

After many hours of trail and error, i finally got the CME express to work properly for the most part, THANKS to some of you guys who assisted me along the way..

What it shocked me that within few days I see that I'm being attacked and they're trying already to route traffic to my CME, NOT sure if people sit all day and scan for open ports on public IP's but this is crazy and scary.. Well luckily they haven't gotten too far and been unsuccessful so far..

Now my question would be is the ACL good enough to prevent this attacks, or should i put my CME behind a firewall ?.. Right now the router is exposed to the Internet with a public ip..

This is the logg on my router from the "frendly scanner" that tries constantly every couple of seconds with diferrent DN's..

028295: Apr 24 17:47:09.996: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

REGISTER sip:172.22.1.1 SIP/2.0

Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-1472330521;rport

Content-Length: 0

From: "6589"<sip:6589@172.22.1.1>;tag=363538390132363931303137363339

Accept: application/sdp

User-Agent: friendly-scanner

To: "6589"<sip:6589@172.22.1.1>

Contact: sip:6589@172.22.1.1

CSeq: 1 REGISTER

Call-ID: 509813374

Max-Forwards: 70

028296: Apr 24 17:47:10.000: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 500 Internal Server Error

From: "6590"<sip:6590@172.22.1.1>;tag=363539300131323331333530323630

Content-Length: 0

To: "6590"<sip:6590@172.22.1.1>

Call-ID: 1518929041

Via: SIP/2.0/UDP 127.0.0.1:5065;branch=z9hG4bK-2627705638;rport;received=75.150.62.125

CSeq: 1 REGISTER

028297: Apr 24 17:47:10.000: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 500 Internal Server Error

From: "6589"<sip:6589@172.22.1.1>;tag=363538390132363931303137363339

Content-Length: 0

To: "6589"<sip:6589@172.22.1.1>

Call-ID: 509813374

Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-1472330521;rport;received=75.150.62.125

CSeq: 1 REGISTER

028298: Apr 24 17:47:10.008: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

REGISTER sip:172.22.1.1 SIP/2.0

Via: SIP/2.0/UDP 127.0.0.1:5065;branch=z9hG4bK-2492295906;rport

Content-Length: 0

From: "6591"<sip:6591@172.22.1.1>;tag=36353931013531323733303530

Accept: application/sdp

User-Agent: friendly-scanner

To: "6591"<sip:6591@172.22.1.1>

Contact: sip:6591@172.22.1.1

CSeq: 1 REGISTER

Call-ID: 3777751790

Max-Forwards: 70

028299: Apr 24 17:47:10.012: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 500 Internal Server Error

From: "6591"<sip:6591@172.22.1.1>;tag=36353931013531323733303530

Content-Length: 0

To: "6591"<sip:6591@172.22.1.1>

Call-ID: 3777751790

Via: SIP/2.0/UDP 127.0.0.1:5065;branch=z9hG4bK-2492295906;rport;received=75.150.62.125

CSeq: 1 REGISTER

028300: Apr 24 17:47:10.012: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

REGISTER sip:172.22.1.1 SIP/2.0

Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-3443662857;rport

Content-Length: 0

From: "6590"<sip:6590@172.22.1.1>;tag=363539300131373837373237393739

Accept: application/sdp

User-Agent: friendly-scanner

To: "6590"<sip:6590@172.22.1.1>

Contact: sip:6590@172.22.1.1

CSeq: 1 REGISTER

Call-ID: 1747775712

Max-Forwards: 70

5 REPLIES
Hall of Fame Super Red

CME is being attacked

Hi there,

I would have a look at this good CME doc

Configuring Toll Fraud Prevention

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmetoll.html

Cheers!

Rob

New Member

CME is being attacked

Hey Rob,

Thanks for the link.. Yes I did read this before, unfortunately I'm running CME v7.1 and this is added to 8.1..

I appologoze for not mention that on my intial post..

Thanks again

Green

Re: CME is being attacked

Hi,

Have a wee look at this link.

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps4625/uc_expresstoll.pdf

Page 11

An extended access list should do the trick

Regards

Alex

Regards, Alex. Please rate useful posts.
Bronze

CME is being attacked

I concur with Alex. For the momen you're SIP responding to the scanner.

Identify the source IP - block this and the scanner will give up after a few days

Hall of Fame Super Gold

CME is being attacked

ADAM CRISP wrote:

I concur with Alex. For the momen you're SIP responding to the scanner.

Identify the source IP - block this and the scanner will give up after a few days

Then another wil come.

As Acambpell pointed out one needs to apply new IOS, or block any attempt from outside, not just from a given source.

760
Views
10
Helpful
5
Replies
CreatePlease login to create content