Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SIP trunk hacking

Hi,

I have the following setup:

CUCM---SIP---CUBE---SIP--ITSP

SIP are configured between CUCM-CUBE and CUBE--ITSP SIP server, both CUCM and CUBE are behind corp firewall using private IP addresses, on firewall we have a static mapping to CUBE and we only allow SIP traffic and audio UDP traffic come in, outbound long distance calls are routed on CUCM to CUBE and then to ITSP, everything worked fine until today our ITSP shut us down because excessive International calls, we were obviously being hacked. Since syslog does not log SIP level information, I am in the dark on how to proceed to troubleshoot.

I am wondering how can anybody hack into our SIP lines and make international calls? the ITSP only accepts our source IP for SIP signaling, if somebody spoof our legitimate IP then how can they get return traffic from ITSP? any pointers will be greately appreciated.

5 REPLIES
New Member

Re: SIP trunk hacking

It turned out that our CUBE accepts client register from any IP from Internet, I am just puzzled that I don't have any account/password/username configured on this CUBE, how was it possible a SIP client from Internet can register? I need to open SIP ports on firewall for inbound calling.

Hall of Fame Super Gold

Re: SIP trunk hacking

As mentioned in anothers thread. In IOS, registration is not a requisite for placing calls. You must use an access-list to limit on IP address you are allowing.

New Member

Re: SIP trunk hacking

did you ever solve your sip trunk hack? If so could you please say what did the trick? Someone is constantly hacking my sip trunk (four times now) and I'm at my wits end trying to resolve this. Did you find the access-list mentioned by p.bevilacqua? Thanks for any advice.

New Member

Re: SIP trunk hacking

Yes, the problem was resolved, just configure an ACL that only acce

pts SIP INVITES from your ITSP's softswitch and

in my case from CUCM and deny everything else.

New Member

Re: SIP trunk hacking

thanks for this info. I'm not using a softswitch, I'm just running cme from inside the router for a sip trunk and that's it. Is there any chance you could post the acl you used in your config? As a newbie I'm struggling with acl config to stop this toll fraud and maybe looking at a successful acl will help.

2760
Views
0
Helpful
5
Replies