Re: Block unwanted inbound calls on CUBE

NickBecirovic66634 · ‎01-25-2021

We have big issue with fraud calls coming through our CUBE and can't see to resolve it. I've blocked certain number through voice translation rules but they eventually find another number and get through.

We utilize E164 dial pattern and my question is:

Is it possible on our PSTN to CUBE dial-peer when an inbound call comes in where if a dialed number is not one of the numbers that belongs to us to go ahead and get it blocked?

Nithin Eluvathingal · ‎01-25-2021

You mean blocking calls based on the calling information for an incoming calls.

since it’s spam calls, they keep changing the calling number. So it will be difficult to make rules for all numbers.

NickBecirovic66634 · ‎01-25-2021

No, these are fraud calls that are somehow getting through our CUBE and we get billed for it and our PSTN provider eventually blocks all of our international calling.

If it's inbound call, I want to block a call if the called number is not one of ours. If it's outbound call I want to block the call if the calling number isn't one of ours.

Roger Kallberg · ‎01-25-2021

Can you please post your configuration from the Cube? It sounds like you might not have the necessary security measures in place for your connection with your ITSP. It would also be helpful if you could describe the connection between you and your ITSP?

NickBecirovic66634 · ‎01-25-2021

After reviewing the dial-peers it looks like trust list was not applied to all of them. I've gone ahead and fixed that and just waiting to see if we get any further fraud reports.

Roger Kallberg · ‎01-25-2021

What do you mean by trust list applied to dial peers?

NickBecirovic66634 · ‎01-25-2021

Solution outlined here:

https://support.hpe.com/hpesc/public/docDisplay?docId=c02618734&docLocale=en_US

Nithin Eluvathingal · ‎01-25-2021

IP address trust list is a very basic security feature which should be enabled to avoid tall frauds.You need to consider additional methods as @Roger Kallberg mentioned.

Roger Kallberg · ‎01-25-2021

This functionality isn’t configured under the dial peers, that’s why I asked what you meant by applied to dial peers?

Apart for this security measure you should also be using an ACL tied to your interface that limits the allowed traffic to come from your ITSP.

If not to much to ask for would you mind to post your configuration so that we can help you out.

Roger Kallberg · ‎01-26-2021

To give you an example this would be the kind of ACL that we would have on our SBCs to limit traffic to only the ITSP SBC(s).

Security Configuration specific for ITSP SIP connection
Some service providers use TCP instead of UDP, or both.
Adopt the ACL as needed for the requirements specific to the service provider.

[A.A.A.A] = LAN Interface IP Address (Voice Vlan)  
[B.B.B.B] = Assigned IP address from ITSP (Outside Interface) 
[C.C.C.C] = ITSP SIP SBC IP Address
[D.D.D.D] = ITSP CPE IP address 
Note: Please note that for some telco's, SIP SBC is same as CPE IP address

ip access-list extended PSTN_ACL
 remark Permit SIP from ITSP CUBE to Company Name CUBE
 permit udp host [C.C.C.C] host [B.B.B.B] eq 5060
 permit udp host [C.C.C.C] eq 5060 host [B.B.B.B]
 remark Permit RTP from ITSP CUBE to Company Name CUBE
 permit udp host [C.C.C.C] host [B.B.B.B] range 16384 32766
 remark Permit ICMP from ITSP CUBE to Company Name CUBE
 permit icmp host [C.C.C.C] host [B.B.B.B]
 permit icmp host [D.D.D.D] host [B.B.B.B]
!
interface GigabitEthernet0/0/1
 ip access-group PSTN_ACL in

call treatment on
call threshold global cpu-avg low 70 high 80
call threshold global total-mem low 70 high 80
call spike 10 steps 6 size 200