Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Calls from Cisco?

Hi all,


These days our customer's endpoint(C20 TC5.1.3) repeatedly receives calls from unknown endpoints(or MCU?) .

And it happens once every 10 minutes, tops.


The result of xhistory is as follows.

  Call Type:none
  IP address:H.323Cisco
  CallRate:64 or 128


This endpoint is not deployed behind VCS-E, but just a static NAT router.

SIP is disabled on this endpoint and calls are H.323 but it seems like SIP Ghost call or like that...

Does anybody know what these calls are ?







New Member

Hi Kotaro, It is "normal

Hi Kotaro,


It is "normal attack". Someone has started attacks to try call through H.323 available device to PSTN numbers. It is changing source IP address so you are not able to filtr based on source IP.

I can see such attacks on our VCSEs where all this attacks are discarded.

Your issue is you have old SW version and you use static NAT.

Best solution for you is to use VCSE. If not possible try to upgrade to latest SW version and use ACL on your router to allow calls from known IP addresses only.



VIP Purple

This is even happening on new

This is even happening on new software releases, as these attacks are happening using the H323 protocol, nothing on the codec can be done to prevent the attacks without breaking H323.  Just like any other time, people are adapting, and trying different methods to exploit organizations networks, this is a prime example, first it was using SIP UDP, now it's using H323 TCP.  Best solution is to prevent all incoming IPs from accessing the codec, and only allow specific IPs that you choose.

Btw, a search of the forums would have turned up several discussions on this, each with the same answers as above.  Below are just a few of those discussions started within the last two weeks.




CreatePlease to create content