Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

source=[h323Id='cisco' ] IncomingCalls

Hi!

Help me please

i have not sip server 

the device has global_IP

i configured "sip listenport off"  

but

"Cisco" cals me 

Oct 24 14:23:52.816 ppc appl[2786]: 163.82 H323Call I: h323_call_handler::handleH323CallInd(s=1) Incoming call indication (rate=64000 lang='' tlph=1 source=[h323Id='cisco' ipv4 ='202.57.32.35' ] dest=[ipv4 ='MY_IP' e164=' ' ])

Oct 24 14:23:52.828 ppc appl[2786]: 163.83 IxCtrl I: iXController(0x49e00514) registerProtocolUser: proto=1, user=0x49e0060c

Oct 24 14:23:52.836 ppc appl[2786]: 163.84 MainEvents I: LayoutUpdated(p=1) outputNo=2 og=8

Oct 24 14:23:52.854 ppc appl[2786]: 163.86 MainEvents I: LayoutUpdated(p=1) outputNo=2 og=8

Oct 24 14:23:52.856 ppc appl[2786]: 163.86 MainEvents I: LayoutUpdated ...frame[SelfviewPip] selfviewPip p=1 src=1 ig=3 x=7487 y=7499 w=2409 h=2409 l=1 b=1 snapBorder stretch

Oct 24 14:23:52.866 ppc appl[2786]: 163.87 MainEvents I: IncomingCallInvite(p=2) remoteURI='h323:cisco' displayName='cisco' localURI='h323:MY_IP'

Oct 24 14:23:52.882 ppc appl[2786]: 163.88 MediaStreamController I: SC::PlayReq(og=12) path='/sounds/nordic.mp4', toneType=file

 

1 ACCEPTED SOLUTION

Accepted Solutions

I've seen these calls hitting

I've seen these calls hitting my VCS-E lately, you're being scanned by someone looking to make free phone calls, don't think you'll to be able to much about it unless you put your system behind a firewall and get rid of that public IP address.

Guess you could at least safeguard the unit a bit by turning auto-answer off, or indeed keep your system turned off until you want to use it.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
26 REPLIES

I've seen these calls hitting

I've seen these calls hitting my VCS-E lately, you're being scanned by someone looking to make free phone calls, don't think you'll to be able to much about it unless you put your system behind a firewall and get rid of that public IP address.

Guess you could at least safeguard the unit a bit by turning auto-answer off, or indeed keep your system turned off until you want to use it.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
New Member

Thank you for answering !

Thank you for answering !

New Member

Hi Guys,Please view the below

Hi Guys,

Please view the below link for the solution and for an up-to-date IP black list:

http://www.videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/

Thanks,

Ali Ibraheem

New Member

They use an Asterisk based

They use an Asterisk based server generating automated standard H.323 calls, therefore it’s not easy to identify the spam call and tackle it.

It overloads the targeted system with continuous open sessions causing DoS problem.

VIP Purple

I've started seeing the same

I've started seeing the same thing on our VCS-E as well, UDP is turned off, seems they've started on the TCP port now looking at my VCS logs, in the past it was SIP UDP.  All my "cisco" calls are H323 TCP.  I've added the "cisco" source to my CPL to block these.  The only ports we have open are the ones in the deployment guide.

Yeah, I did the same with my

Yeah, I did the same with my CPL, worked for a while, but noticed a few the other day which got around the CPL somehow - they failed anyway, so no harm done, but need to look into this a bit more by the looks of things. :(

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
VIP Purple

Yeah, I opened a TAC case

Yeah, I opened a TAC case earlier to see if there is possibly a way to mitigate it (if possible), similar to the other methods for the endpoints and VCS for SIP UDP and the 100@VCS_IP calls.  CPL scripts are nice, but at times they do get cumbersome with everything you're having to add to them all the time to prevent things like this.

Cool, would appreciate if you

Cool, would appreciate if you could update the thread with the outcome when known. :)

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
VIP Purple

Cisco's didn't have any

Cisco's didn't have any recommendations, only that there is no direct solution, but they do know the priority of the issue.

However, you can do one of the following to help prevent these calls:

  • Configure firewall to block all incoming IPs, but only those you specify or allow to dial incoming into your network.
  • Configure your endpoints to use a call control server such as CUCM or VCS.
  • If you have a VCS, you can create a CPL script that can stop these calls.

There is no direct solution or configuration that can be done on the endpoints to prevent these calls, because this is using H323 TCP, it's very hard to prevent them without breaking H323.

Thanks Patrick,was pretty

Thanks Patrick,

was pretty much what I expected, is your CPL blocking them as mine is not ?

Testing it using the locate tool invokes the CPL and tells me it's working ok, but I'm finding it is not blocking the actual calls.

Not that the any of the calls succeeds mind you, they all fail with "interworked no permission" type errors, so they never reach my second line of defence which involves breaking the dial string anyway.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
VIP Purple

When you use the locate tool,

When you use the locate tool, are you specifying that it's an unauthenticated call, and is your DefaultZone set to Check Credentials?

What source or destination do you have your CPL using?

The CPL that I'm using is stopping all of them, it's based on all unauthenticated calls that have a source alias of "cisco", you could also base it on destination on X set of numbers long, where X is some number that is out of the range of your existing dial plan, but within the range of attacks such as this.

Currently using:

Currently using: unauthenticated-origin="cisco" destination=".*"><reject status="403"/> which should, theoretically reject any calls from "cisco" to all destinations, and as I said, when testing it using the call details from one of the actual calls, specifying it as unauthenticated, it works - I get the 403 forbidden response I expect to see. Might have to play around with the destination pattern and see how it goes.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
VIP Purple

Actually I just realized

Actually I just realized something, try just orgin alone.  Because the source appears as "cisco@VCS_IP", the VCS_IP is probably seen as an authenticated source.  My CPL uses the same as you, except I have it configured for both unauthenticated and authenticated, so the only difference between you and me is the authenticated part.

I've added authenticated to

I've added authenticated to the list - let's see how that goes.

/jens

Please rate replies and mark question(s) as "answered" if applicable.
New Member

add to CPL "unauthenticated

add to CPL "unauthenticated-origin="cisco" destination=".*"><reject status="403"/> " works well.

 

I think there should be better protection, but will be watching ...

thanks a lot.

As you can see from my

As you can see from my earlier post that's exactly what I'm using.

/jens

Please rate replies and mark question(s) as "answered" if applicable.
New Member

is right !!  

is right !!

 

 

VIP Purple

Attached is the CPL script I

Attached is the CPL script I'm using.  We're checking credentials on the Expressway DefaultZone.

As you can see it's working for us below:

H323 (Setup) cisco 0441227806181 Denied by policy View
H323 (Setup) cisco 00441315070102 Denied by policy View
H323 (Setup) cisco 000441227806181 Denied by policy View
H323 (Setup) cisco 00000441315070102 Denied by policy

I typically usually add both authenticated and unauthenticated in cases like this, just to make sure I catch anything that might somehow find it's way through the other.

Tidy, like. Well done all.

Tidy, like. Well done all.

"We're checking credentials

 

"We're checking credentials on the Expressway DefaultZone."

Looks like that might be the key as I currently don't do that as I found in the past that it broke my JabberVideo service for our external users.

Haven't looked at it again since then (x6 or so), so guess it's time to take another look at it.

Having said that, the CPL worked fine blocking the unwanted SIP calls without checking the credentials on the VCS-E DZ, but this is a different thing altogether.

Just checked the VCS-E and haven't had any of these calls since I last edited the CPL - so, gonna have to wait and see for now.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

you can easy simulate them,

you can easy simulate them, just put an endpoint on a public ip, call the h323 "cisco" and dial 00442234234234234@yourvcsip ;-)

 

happy Halloween

Please remember to rate helpful responses and identify

Tried that remotely from home

Tried that remotely from home with an MXP, but it won't accept E.164 Alias or H.323 ID unless the call mode is "Gatekeeper/Callmanager", but for this purpose it has to be "Direct". Also, the calls appear to use a range of ip addresses as the origin in the same attack, not cisco@VCS_IP (which I can easily block).

/jens

Please rate replies and mark question(s) as "answered" if applicable.
New Member

I can add as CPL? please do

I can add as CPL? please do not do this constantly and intruding

 

New Member

what is CPL?

what is CPL?

VIP Purple

Call Processing Language, you

Call Processing Language, you can use a CPL script with the VCS/Expressway products to manipulate how calls are being made or received.

New Member

Now, it could be I'm missing

Now, it could be I'm missing something obvious, but it's interesting that these attempts are not reaching or piling up in the auto-attendant either of our MCU's (4210&5320)

 

I believe I'm seeing them fail here in the error log:

 

5239
Views
50
Helpful
26
Replies
CreatePlease login to create content