cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2135
Views
10
Helpful
2
Replies

Toll Evasion on UC520

ftc232356tyui
Level 1
Level 1

We have recently had one of our UC520's accessed from overseas and thay have managed to create over $4000 of fraudulent calls on our VOIP account.

The UC does PPPOE connection to the internet . The WAN port of the UC has a public IP address and in the access list we have is below.

access-list 104 permit TCP host 203.55.229.194 host 203.206.XXX.XXX eq 5060

access-list 104 permit UDP host 203.55.229.194 host 203.206.XXX.XXX eq 5060

access-list 104 deny  TCP  any  any eq 5060

access-list 104 deny UDP any  any eq 5060

(XXX justs hides our IP address)

We have also configured cor lists on the UC to stop this happening again.

Our ISP says that we do not need to have port 5060 open for SIP to work, can anyone advise on this ?

If there are any other advice / ideas in how to guarantee that the system is now locked down would be much appreciated.

And as a last note i am still confused as to how they have accessed the system in the first place if the above access-lists were in place.

2 Replies 2

Adrian Saavedra
Level 7
Level 7

Hello,

If you have not seen this document, you can take a look to this CallManager Express Security Best Practices:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/srnd/design/guide/security.html

Hope it helps, please rate if it does.

Kind regards!

- Adrian.

Steven Holl
Cisco Employee
Cisco Employee

EDIT: I just noticed that you are explicitly allowing SIP traffic in your WAN from a single range, and denying everything else.  We'd really need SIP and H323 debugs running during an occurrence to say for sure where it came from, and what occurred.  If you're blocking all other traffic except 5060 from 203.55.229.194, then the fraud either came in another interface than the one 104 is applied inbound on, or the fraud came from that 'trusted' IP.

The easiest thing for you is to take advantage of our toll fraud enhancement in 15.1(2)T, so that you only allow VoIP calls from those known source IPs which you trust for calls:

https://supportforums.cisco.com/docs/DOC-12228

Or like you mentioned, just deny all SIP traffic from the Internet, if you don't have a SIP ITSP.

I'm going to leave my original post below for others' future reference, but it isn't as relevant for you as I thought.

I'm copying a write-up I did for a previous person.  I briefly editied it, but it should explain this in detail for you.  It really boils down to making sure you don't allow unwanted traffic in from an untrusted source.  This is a basic network design mentality, and carries over to voice:

By default, before CSCsb25337, any router listens for SIP and H.323 connections as long as the router is
voice capable.  This is by design.  With the fix for CSCsb25337 (most recent code), we only listen on that VoIP protocol if you have a dial-peer configured for that protocol.  As soon as you have a SIP peer (like for CUE), the SIP listener will run on all interfaces.  Hence, if you don't restrict VoIP traffic inbound on your interfaces with public IP addresses, you can run into toll fraud.  You should follow security best practices and only allow traffic which you trust in from untrusted sources.

To prevent future call fraud, you should do one of the following things (placed in
descending order of recommendation):
-Place a firewall between your CME/voice router and the Internet, that will not trust
voice control traffic inbound from the Internet towards the voice router.  Because of the
dialer interface, this may not be a probably solution for you.

-Place an access-list inbound on the public interface that only permits specific traffic.
The implicit deny in the access-list will block other traffic, preventing attacks.  This
is recommended, as you have full control of what traffic you want to allow into your
network from the Internet.  For instance, say I only want to trust traffic from google
(64.233.167.99) inbound:

int Dialer1
ip access-group 101 in

!This access-list would allow any traffic from Google, and block everything else with an
implicit deny statement.
access-list 101 permit ip host 64.233.167.99 any

-Place an access-list inbound on the public interface to at least block SIP and H.323
traffic.  This would leave the router still vulnerable to other Internet attacks, as all
other ports that are listening on the router are left open:

int
ip access-group 101 in

!This access-list would only block voice traffic (H.323, SCCP, MGCP, SIP).
access-list 101 deny tcp any any eq
access-list 101 deny udp any any eq 2427
access-list 101 deny tcp any any eq 2428
access-list 101 deny tcp any any range 1718 1720
access-list 101 deny tcp any any eq 1731
access-list 101 deny tcp any any eq 2000
access-list 101 deny tcp any any eq 5060
access-list 101 deny udp any any eq 5060
access-list 101 permit ip any any

You can also check out this link; we changed some behavior in recent code which will make it easier for you if you are willing to upgrade.  On new code, we reject VoIP calls from any source not explicitly defined in the config:
https://supportforums.cisco.com/docs/DOC-12228

Message was edited by: Steven Holl