I am having a UC560 and is connected with analog trunk lines. I have noticed that we are unable to do a outgoing call and every lines were busy with an outgoing international call. I found out while I put sh voice call status and found all the ports are dailed to a international number +3222288121 and it goes through dail-peer 0 (default dial-peer)..
Then i noticed that someone is hacking our UC560 and is making toll fraud. Their IP is 220.127.116.11. I found out using "sh sip-ua connections udp detail" command. I had shut down all the FXO ports and again no shut the same.. then all the calls are working and is going outside.
However, I want to know how to block these kind of toll fraud attacks.
This is a common issue. Essentially, you didn't restrict untrusted traffic from a public interface into this box, and since the UC500 will route off an inbound SIP or H323 invite, you're getting toll fraud. Technically no one is 'hacking' you. Metaphorically, you left your front door unlocked, so anyone can just walk in, pick up your phone, and make a call. That's essentially what is happening.
Dial-peer 0 has nothing to do with it.
Do a search in the forums on toll fraud, and you'll find some results.
Specifically, here is something I wrote up a while ago on this, which should shed some light on what is occurring.
To fix it, you want to restrict VoIP traffic from any untrusted source/interface. That's TCP/1720 and UDP/5060, but really security best practices say to deny everything from untrusted sources, unless you specifically know you want to allow it from somewhere. Hence, you should ahve a deny all,and only allow VoIP traffic from your ITSP (if you have one).
We've improved toll fraud prevention features with 15.1(2)T, but you can't take advantage of that on the UC500 yet until that release is built for the platform.
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.