Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VCS-Expressways hacked from the Internet - Warning

Hello,

I already found 2 cases where a configuration with VCS-Expressway/VCS-Control and ISDN gatewat was hacked from the Internet.

Apparently the hacker first scans the Internet for a VCS-Expressway. I've no idea how this is done but I guess it is via SNMP or HTTP requests.

Once a VCSExpressway is found the hacker tries to make calls via the ISDN-gateway. First they gues which prefix to be used; Most common are 0 or 9. But apparently hey also manage to find other prefix like 50 or 40.

Then during the weekend and night they start to make calls using a SIP UA.

In all cases the dialled numbers are based in Cuba and all calls have random numbers, eg: 0005352634021,0005352454010,...

Theses calls come in on the VCS-E as SIP in the form: 90005352634021@"ip-address of VCS-E".

Most of the dialled calls are Unanswered - so I guess this is a DoS attack.

To stop these attackes I put a CPL on the VCS-E which blocks all calls to the ISDN-gwy prefix.

rgds, Geert Folens.

Everyone's tags (3)
7 REPLIES
Cisco Employee

VCS-Expressways hacked from the Internet - Warning

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-0.pdf

Please refer page 41, Step 16: Restrict access to ISDN gateways, to prevent what mention in above.

You may want to have registration restriction configuration on VCS Expressway together with restriction access control (please refer page 40, Step 15: Registration restriction configuration).

Best regards,

Tomonori Taniguchi

Cisco Employee

VCS-Expressways hacked from the Internet - Warning

Please also see the recomendations in "Cisco TelePresence Video Communication Server Basic Configuration Cisco VCS Control with Cisco VCS Expressway Deployment Guide (X7.0)" ... or the latest version of this guide.  Please look at the section: "Restrict access to ISDN gateways".

This is one of the configuration guides available at:

www.cisco.com > support > VCS > configuration guides

Cisco Employee

VCS-Expressways hacked from the Internet - Warning

Great minds think alike Tomo

Thanks

Cisco Employee

VCS-Expressways hacked from the Internet - Warning

In addition to the above referenced document, check out the Cisco TelePresence Hardening Guide for addtional information on securing your TelePresence solution.  We encourage folks to open a TAC case if you need further investigation.

New Member

VCS-Expressways hacked from the Internet - Warning

Unfortunately the Telepresence Hardening Guide does not exist in pdf...

New Member

Re: VCS-Expressways hacked from the Internet - Warning

This is also possible if you have a SIP trunk to a Call control that has PSTN access. The search rule method suggest  to block this is more scalable an allows for registered users to use the gateway of SIP trunk for PSTN access.

I also put a # in GW prefixes as this terminate the dial  plan and prevents hairpinning on via the gateway IVR or any other IVR that consults the call control for dialed digits

Baisc CPL ( admin policy) is realtive easy to get around if implemented with source aliases and wil cards

Garvan

Re: VCS-Expressways hacked from the Internet - Warning

I'm seeing the same thing now, majority ofl numbers dialled are in Libya and a couple in Egypt, - appropriate search rules - and the rest - implemented, so that should hopefully be that.

Edit:

Looks like they've given up on us - was funny watching the scans and seeing them all fail though.

Please rate replies and mark question(s) as "answered" if applicable.
11245
Views
10
Helpful
7
Replies
CreatePlease to create content