we have a Severity 1 situation here, where there are huge number unidentifies calls going through our Voice Gateway.
Example debug log..
44078563: Jan 19 10:59:18.605: //-1/FF4025DC8F44/CCAPI/cc_api_display_ie_subfields:
----- ccCallInfo IE subfields -----
dest=70115378622222 -------------------------> Cuba
cisco-redirectreason=-1 fwd_final_type =0
Cant find the Source number since it is masked. We have written specific reject rules on the Gateway now to block calls to these countries now and the calls even though they are attempted they are getting rejected.
Can anyone please help me find the source of this call or a way to track this down. These calls doesnt seem to come from our Call Manager because the CDR or the SDI trace doesnt show anything.
voice translation-rule 16
rule 1 reject /^7011216.*/
rule 2 reject /^7011232.*/
rule 3 reject /^7011212.*/
rule 4 reject /^701193.*/
rule 5 reject /^701153.*/
rule 6 reject /^7011228.*/
rule 7 reject /^7011251.*/
voice translation-profile CALLBLOCK
translate called 16
dial-peer voice 130 voip
call-block translation-profile incoming CALLBLOCK
call-block disconnect-cause incoming call-reject
voice-class codec 1
incoming called-number .
ip qos dscp cs3 signaling
Is the voice gateway H323 or SIP controlled and also your internet gateway?
People send attacks on H323 and SIP ports trying to see if anybody's gateway responds to the attack. If this is an attack from the internet I would not expect it to be in the CUCM logs.
Have a look at http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note09186a00809dc487.shtml#h323 it give a nice overview.
If it is an attack from an external source, I would at least put in a access-list
that would allow only call signalling from CUCM (if that is what you are using).
Also span the port of your VGW and run like wireshark (setting up a packet capture filter for SIP or H323 only), surely this way you should be able to figure out a source IP address that originate these calls to Cuba. Or even better translate all Cuban patterns to you own phone number (internal) and run wireshark on you own machine.
It has happened to me before!!
Make sure you disable incoming requests to Voice ports like SCCP and SIP for any ip address from outside except your service provider ip address,
You can simply use nbar and enable firewall or create an acl to disable incoming requests to port 5060/TCP for instance.
(Just if you are using DID numbers you need to make sure you allow incoming traffic to those ports from your service provider).
Thanks for the response and sorry for the delay in replying. Was having a tough time with this. The problem was sorted out.
Configured Access lists on the Gateway to permit only those IP Addresses of the Service providers and block the remaining. Now no more attempts are seen in the Debug logs.