cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9377
Views
50
Helpful
26
Replies

source=[h323Id='cisco' ] IncomingCalls

Ozgur Shahin
Level 1
Level 1

Hi!

Help me please

i have not sip server 

the device has global_IP

i configured "sip listenport off"  

but

"Cisco" cals me 

Oct 24 14:23:52.816 ppc appl[2786]: 163.82 H323Call I: h323_call_handler::handleH323CallInd(s=1) Incoming call indication (rate=64000 lang='' tlph=1 source=[h323Id='cisco' ipv4 ='202.57.32.35' ] dest=[ipv4 ='MY_IP' e164=' ' ])

Oct 24 14:23:52.828 ppc appl[2786]: 163.83 IxCtrl I: iXController(0x49e00514) registerProtocolUser: proto=1, user=0x49e0060c

Oct 24 14:23:52.836 ppc appl[2786]: 163.84 MainEvents I: LayoutUpdated(p=1) outputNo=2 og=8

Oct 24 14:23:52.854 ppc appl[2786]: 163.86 MainEvents I: LayoutUpdated(p=1) outputNo=2 og=8

Oct 24 14:23:52.856 ppc appl[2786]: 163.86 MainEvents I: LayoutUpdated ...frame[SelfviewPip] selfviewPip p=1 src=1 ig=3 x=7487 y=7499 w=2409 h=2409 l=1 b=1 snapBorder stretch

Oct 24 14:23:52.866 ppc appl[2786]: 163.87 MainEvents I: IncomingCallInvite(p=2) remoteURI='h323:cisco' displayName='cisco' localURI='h323:MY_IP'

Oct 24 14:23:52.882 ppc appl[2786]: 163.88 MediaStreamController I: SC::PlayReq(og=12) path='/sounds/nordic.mp4', toneType=file

 

1 Accepted Solution

Accepted Solutions

Jens Didriksen
Level 9
Level 9

I've seen these calls hitting my VCS-E lately, you're being scanned by someone looking to make free phone calls, don't think you'll to be able to much about it unless you put your system behind a firewall and get rid of that public IP address.

Guess you could at least safeguard the unit a bit by turning auto-answer off, or indeed keep your system turned off until you want to use it.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

View solution in original post

26 Replies 26

Jens Didriksen
Level 9
Level 9

I've seen these calls hitting my VCS-E lately, you're being scanned by someone looking to make free phone calls, don't think you'll to be able to much about it unless you put your system behind a firewall and get rid of that public IP address.

Guess you could at least safeguard the unit a bit by turning auto-answer off, or indeed keep your system turned off until you want to use it.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

Thank you for answering !

Hi Guys,

Please view the below link for the solution and for an up-to-date IP black list:

http://www.videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/

Thanks,

Ali Ibraheem

They use an Asterisk based server generating automated standard H.323 calls, therefore it’s not easy to identify the spam call and tackle it.

It overloads the targeted system with continuous open sessions causing DoS problem.

I've started seeing the same thing on our VCS-E as well, UDP is turned off, seems they've started on the TCP port now looking at my VCS logs, in the past it was SIP UDP.  All my "cisco" calls are H323 TCP.  I've added the "cisco" source to my CPL to block these.  The only ports we have open are the ones in the deployment guide.

Yeah, I did the same with my CPL, worked for a while, but noticed a few the other day which got around the CPL somehow - they failed anyway, so no harm done, but need to look into this a bit more by the looks of things. :(

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

Yeah, I opened a TAC case earlier to see if there is possibly a way to mitigate it (if possible), similar to the other methods for the endpoints and VCS for SIP UDP and the 100@VCS_IP calls.  CPL scripts are nice, but at times they do get cumbersome with everything you're having to add to them all the time to prevent things like this.

Cool, would appreciate if you could update the thread with the outcome when known. :)

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

Cisco's didn't have any recommendations, only that there is no direct solution, but they do know the priority of the issue.

However, you can do one of the following to help prevent these calls:

  • Configure firewall to block all incoming IPs, but only those you specify or allow to dial incoming into your network.
  • Configure your endpoints to use a call control server such as CUCM or VCS.
  • If you have a VCS, you can create a CPL script that can stop these calls.

There is no direct solution or configuration that can be done on the endpoints to prevent these calls, because this is using H323 TCP, it's very hard to prevent them without breaking H323.

Thanks Patrick,

was pretty much what I expected, is your CPL blocking them as mine is not ?

Testing it using the locate tool invokes the CPL and tells me it's working ok, but I'm finding it is not blocking the actual calls.

Not that the any of the calls succeeds mind you, they all fail with "interworked no permission" type errors, so they never reach my second line of defence which involves breaking the dial string anyway.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

When you use the locate tool, are you specifying that it's an unauthenticated call, and is your DefaultZone set to Check Credentials?

What source or destination do you have your CPL using?

The CPL that I'm using is stopping all of them, it's based on all unauthenticated calls that have a source alias of "cisco", you could also base it on destination on X set of numbers long, where X is some number that is out of the range of your existing dial plan, but within the range of attacks such as this.

Currently using: unauthenticated-origin="cisco" destination=".*"><reject status="403"/> which should, theoretically reject any calls from "cisco" to all destinations, and as I said, when testing it using the call details from one of the actual calls, specifying it as unauthenticated, it works - I get the 403 forbidden response I expect to see. Might have to play around with the destination pattern and see how it goes.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

Actually I just realized something, try just orgin alone.  Because the source appears as "cisco@VCS_IP", the VCS_IP is probably seen as an authenticated source.  My CPL uses the same as you, except I have it configured for both unauthenticated and authenticated, so the only difference between you and me is the authenticated part.

I've added authenticated to the list - let's see how that goes.

/jens

Please rate replies and mark question(s) as "answered" if applicable.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: