cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6464
Views
10
Helpful
6
Replies

Nuisance H323 calls on SX20

Jerome_N8
Level 1
Level 1

Hi,

 

I'm having an issue with an SX20 device that keeps receiving nuisance h323 calls, no IP address is displayed and it just says "cisco".  We have received over 100 of these calls.  As a work around I have blocked all h323 on the firewall and only allowed a few IP's of known addresses that we use.

 

I tried to look in the logs of the SX20 to see if I could find the IP that was making the spam calls so I could block it but I couldn't find anything useful in there.  Is there a better way around this as now I need to manually add an IP on the firewall every time they want to dial someone new?

 

Thanks

2 Accepted Solutions

Accepted Solutions

Martin Koch
VIP Alumni
VIP Alumni

Hello!

 

Yes, I noticed that in VCS logs as well.

Before the common scans were on sip/5060/udp.

The same issue you might have when SIP is expoded to the public, especially the udp port, but there are also scans on tcp and at one point there will be TLS as well.

Its like spam, the spammers adopt.

For now I would say, as you did put it behind a firewall and only allow sources you really want to have communication with (which might not be ideal or even possible) or use a call control, like vcs or cucm+expressway upfront.

If you have your firewall upfront you could log the ip addresses which try to do h323 and sip connections, you could try to block them. But its also just playing hide and seek, there are no common ips used for scanning and anyhow you do not know where they scan from, often compromised systems are used for these scans.

Some firewalls have geo-ip features, so you could block continents / countries / areas which you are not communicating with.

 

Anyhow, consider to use a call control and do admission control there.

 

Please rate this posting using the stars below.

 

Please remember to rate helpful responses and identify

View solution in original post

This issue has been raised in a few threads already, suggest you see:

https://supportforums.cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

View solution in original post

6 Replies 6

Martin Koch
VIP Alumni
VIP Alumni

Hello!

 

Yes, I noticed that in VCS logs as well.

Before the common scans were on sip/5060/udp.

The same issue you might have when SIP is expoded to the public, especially the udp port, but there are also scans on tcp and at one point there will be TLS as well.

Its like spam, the spammers adopt.

For now I would say, as you did put it behind a firewall and only allow sources you really want to have communication with (which might not be ideal or even possible) or use a call control, like vcs or cucm+expressway upfront.

If you have your firewall upfront you could log the ip addresses which try to do h323 and sip connections, you could try to block them. But its also just playing hide and seek, there are no common ips used for scanning and anyhow you do not know where they scan from, often compromised systems are used for these scans.

Some firewalls have geo-ip features, so you could block continents / countries / areas which you are not communicating with.

 

Anyhow, consider to use a call control and do admission control there.

 

Please rate this posting using the stars below.

 

Please remember to rate helpful responses and identify

I raised a ticket with TAC and he suggested to put my endpoints in private network, to see if I continue to receive spam calls. This doesnt solve my problem. I think the quality of Cisco's reply is starting to fall.

I noticed the spam calls are coming at a 5 minutes interval. Easily can get 100 calls in a day for each endpoints.

 

The only solution is to put it behind a VCS.E?

This issue has been raised in a few threads already, suggest you see:

https://supportforums.cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

Thanks guys, there is no VCS-E or CUCM available in this instance so I guess there's no other choice right now apart from blocking everything like we have done.  

 

It's a minor inconvenience to add new ip's to the allowed list but not that bad as they don't make too many video calls to new destinations.

 

 

Hi Guys,

Please view the below link for the solution and for an up-to-date IP black list:

http://www.videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/

Thanks,

Ali Ibraheem

Thanks Ali, hope we hear some news from the vendors about this soon.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: