I don't know if you have been going through this problem.
Many clients that have acces to Internet through ADSL service are having their phone/voice lines busy because an external user through Internet takes their lines to make world wide phone calls, charging this cost to the ADSL user.
The fraud is related to the way the hacker takes the gateway that belongs to another user in another country and provides phone services.
PLease let me know if you have heard about this. Is there any vulnerability?
Thanks in advance.
You need to get in touch with the IXC or whoever is providing the SIP telephony service. They will have a CDR of all calls and the IP address that the call originated from. The reason that these fraudsters are able to make these calls is because there is basically no real authentication at the IXC SIP peer. It should require a username, password, and a hardcoded static IP address (in other words, not just any host should be able to connect to the SIP proxy and generate calls, only hosts from a specific static IP address.) If you can't do that, there will pretty much always be fraud use. Change to a telephony provider that has some security.
HTH - don't forget to rate posts!
Thanks 4 your reply.
The thing is that behind the ADSL modem we have a pix and a router with CCME in the LAN that is the local PBX(With SCCP phones, there are no H323/SIP trunks). So the attack was made from internet and they reached the LAN to make phone calls (Toll Fraud) using the IP PBX in the LAN through the COs connected to that router. Do you know about any bug, or vulnerability?
Thanks once again!
I'm pasting some info collected about it.
And take a look to the following IP address:
The following phone calls are made from somewhere in Internet taking advantage of some vulnerability.
WGIRtr01#sho voice call active voice compact
Total call-legs: 8
513 ANS T6 g729r8 VOIP P10101010101 22.214.171.124:18188
514 ORG T6 g729r8 TELE P9001095367356257
515 ANS T6 g729r8 VOIP P10101010101 126.96.36.199:18196
516 ORG T6 g729r8 TELE P90010951534883
517 ANS T4 g729r8 VOIP P10101010101 188.8.131.52:18204
518 ORG T4 g729r8 TELE P9001021260860325
519 ANS T5 g729r8 VOIP P10101010101 184.108.40.206:18212
520 ORG T5 g729r8 TELE P9001095015569
If 220.127.116.11 is not your own address, then it has nothing to do with your inside network or with a bug or exploit. Like I said before, if you SIP peer on the Internet is not secure, anyone could connect to it and make calls. It wouldn't matter where the connection came from. That's why I said that if your IXC can't lock it down properly, find another one.
Please rate this post if it helps
The thing is that we do not use any SIP connection through internet. It's just the CCME in the LAN that has been accesed from Internet...somehow. That CCME do not have any voice/data traffic from/to Internet, and even that, it happened.
The CCME only has dial-peers to connect to the local PSTN. We don't have dial-peers to any other system/PBX.
One vulnerability I know about is(even not using SIP):
but this shouldn't affect you. Having in mind the facts you detected, you may have do dig deeper for some configuration problems.
Hi Orlando . I have the same problem like you . You must stop udp:5060 and tcp:5060 whit ACL or :
Router(config-sip-ua)#no transport udp
Router(config-sip-ua)#no transport tcp
for more info : http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml
thanks a lot 4 your reply.
I was out of the office, and now i'm back to this case.
I'll try, and let you know if it works 4 me.
Have a nice day.