SIP are configured between CUCM-CUBE and CUBE--ITSP SIP server, both CUCM and CUBE are behind corp firewall using private IP addresses, on firewall we have a static mapping to CUBE and we only allow SIP traffic and audio UDP traffic come in, outbound long distance calls are routed on CUCM to CUBE and then to ITSP, everything worked fine until today our ITSP shut us down because excessive International calls, we were obviously being hacked. Since syslog does not log SIP level information, I am in the dark on how to proceed to troubleshoot.
I am wondering how can anybody hack into our SIP lines and make international calls? the ITSP only accepts our source IP for SIP signaling, if somebody spoof our legitimate IP then how can they get return traffic from ITSP? any pointers will be greately appreciated.
It turned out that our CUBE accepts client register from any IP from Internet, I am just puzzled that I don't have any account/password/username configured on this CUBE, how was it possible a SIP client from Internet can register? I need to open SIP ports on firewall for inbound calling.
did you ever solve your sip trunk hack? If so could you please say what did the trick? Someone is constantly hacking my sip trunk (four times now) and I'm at my wits end trying to resolve this. Did you find the access-list mentioned by p.bevilacqua? Thanks for any advice.
thanks for this info. I'm not using a softswitch, I'm just running cme from inside the router for a sip trunk and that's it. Is there any chance you could post the acl you used in your config? As a newbie I'm struggling with acl config to stop this toll fraud and maybe looking at a successful acl will help.
SIP traces provide key information in troubleshooting SIP Trunks, SIP
endpoints and other SIP related issues. Even though these traces are in
clear text, these texts can be gibberish unless you understand fully
what they mean. This document attempts to br...
Please find the attached HTML document, download and open it on your PC.
This provides an easy to use form where you simply answer a few
questions and it will render the proper jabber-config.xml file for you
to copy/paste. There is built in logic to verif...
CUCM Database Replication is an area in which Cisco customers and
partners have asked for more in-depth training in being able to properly
assess a replication problem and potentially resolve an issue without
involving TAC. This document discusses the bas...