Re: Fraud Calls on Voice Gateway

abraham1982 · ‎01-19-2011

Hi Everyone,

we have a Severity 1 situation here, where there are huge number unidentifies calls going through our Voice Gateway.

Example debug log..

44078563: Jan 19 10:59:18.605: //-1/FF4025DC8F44/CCAPI/cc_api_display_ie_subfields:

cc_api_call_setup_ind_common:

cisco-username=asterisk

----- ccCallInfo IE subfields -----

cisco-ani=asterisk

cisco-anitype=0

cisco-aniplan=0

cisco-anipi=0

cisco-anisi=0

dest=70115378622222 -------------------------> Cuba

cisco-desttype=0

cisco-destplan=0

cisco-rdie=FFFFFFFF

cisco-rdn=

cisco-rdntype=0

cisco-rdnplan=0

cisco-rdnpi=-1

cisco-rdnsi=-1

cisco-redirectreason=-1 fwd_final_type =0

final_redirectNumber =

hunt_group_timeout =0

Cant find the Source number since it is masked. We have written specific reject rules on the Gateway now to block calls to these countries now and the calls even though they are attempted they are getting rejected.

Can anyone please help me find the source of this call or a way to track this down. These calls doesnt seem to come from our Call Manager because the CDR or the SDI trace doesnt show anything.

Reject Rules

--------------------

voice translation-rule 16
rule 1 reject /^7011216.*/
rule 2 reject /^7011232.*/
rule 3 reject /^7011212.*/
rule 4 reject /^701193.*/
rule 5 reject /^701153.*/
rule 6 reject /^7011228.*/
rule 7 reject /^7011251.*/

voice translation-profile CALLBLOCK
translate called 16

dial-peer voice 130 voip
call-block translation-profile incoming CALLBLOCK
call-block disconnect-cause incoming call-reject
voice-class codec 1
incoming called-number .
ip qos dscp cs3 signaling
no vad
!

Craig Dyer · ‎01-20-2011

Abraham,

Is the voice gateway H323 or SIP controlled and also your internet gateway?

People send attacks on H323 and SIP ports trying to see if anybody's gateway responds to the attack. If this is an attack from the internet I would not expect it to be in the CUCM logs.

Have a look at http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note09186a00809dc487.shtml#h323 it give a nice overview.

Craig

Dennis Mink · ‎01-20-2011

If it is an attack from an external source, I would at least put in a access-list

that would allow only call signalling from CUCM (if that is what you are using).

Also span the port of your VGW and run like wireshark (setting up a packet capture filter for SIP or H323 only), surely this way you should be able to figure out a source IP address that originate these calls to Cuba. Or even better translate all Cuban patterns to you own phone number (internal) and run wireshark on you own machine.

R.,

Please remember to rate useful posts, by clicking on the stars below.

rassoul.ghaznavi · ‎01-20-2011

Hey,

It has happened to me before!!

Make sure you disable incoming requests to Voice ports like SCCP and SIP for any ip address from outside except your service provider ip address,

You can simply use nbar and enable firewall or create an acl to disable incoming requests to port 5060/TCP for instance.

(Just if you are using DID numbers you need to make sure you allow incoming traffic to those ports from your service provider).

Network Group

abraham1982 · ‎01-21-2011

Hi All,

Thanks for the response and sorry for the delay in replying. Was having a tough time with this. The problem was sorted out.

Configured Access lists on the Gateway to permit only those IP Addresses of the Service providers and block the remaining. Now no more attempts are seen in the Debug logs.

cheers

Abraham