Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1170
Views
0
Helpful
8
Replies

Toll Fraud

Mike Buyarski
Level 3
Level 3

‎07-26-2016 07:48 AM - edited ‎03-17-2019 07:38 AM

I have been getting this constantly my log is filled with these:

1190852: Jul 26 09:39:54.058: %VOICE_IEC-3-GW: Application Framework Core: Internal Error (Toll fraud call rejected): IEC=1.1.228.3.31.0 on callID 110641 GUID=A690F976527511E681C3C621059668F7

how do I stop them from appearing. the only think I found when searching this was to make sure I have a trusted list which I do that only allows connection from the internal network.

voice service voip
 ip address trusted list
  ipv4 "internal subnet"
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
 h323
  call service stop maintain-registration
 sip
  registrar server expires max 600 min 60
!

is there anything else I can do to stop those messages? FYI this is a MGCP connected router(2901), all calls come into it via POTS lines.

Labels:
0 Helpful
8 Replies 8

ADAM CRISP
Level 4
Level 4

‎07-26-2016 08:53 AM

Hi Mike,

You said your router receives calls on POTS lines only. Could the router be receiving VoIP calls that you're not aware of?

Adam

0 Helpful

Mike Buyarski
Level 3
Level 3
In response to ADAM CRISP

‎07-26-2016 09:07 AM

Not aware of anything that would be trying internally, is there a debug I could run to possibly see where its coming from? "debug ccapi voice inout"?

0 Helpful

ADAM CRISP
Level 4
Level 4
In response to Mike Buyarski

‎07-26-2016 09:11 AM

Yes, maybe I guess.

I'm a SIP guy, so have always liked debug ccsip messages - but obviously this won't show any h323 calls.

0 Helpful

Mike Buyarski
Level 3
Level 3
In response to ADAM CRISP

‎07-26-2016 09:28 AM

well I did the debug ccsip messages and this is what I got. I removed our external IP but the other IP's don't know show they are.

Preview file
17 KB
0 Helpful

Mike Buyarski
Level 3
Level 3
In response to Mike Buyarski

‎07-26-2016 09:35 AM

another one I got

Preview file
3 KB
0 Helpful

ADAM CRISP
Level 4
Level 4
In response to Mike Buyarski

‎07-26-2016 09:56 AM

Hi Mike

You started the thread asking how to make the syslog messages go away. I suspect very much that the Toll fraud code is doing its job and you have a real issue with somebody trying to get your kit to do something.

The user agent of the originating calls is -> http://www.kaplansoft.com/sipcli/

There is evidence that the calls are originating from spoofed source addresses  - the 403 messages you are sending back are not acknowledged.

You're fix is to secure your network.....

Adam

0 Helpful

Mike Buyarski
Level 3
Level 3
In response to ADAM CRISP

‎07-26-2016 11:12 AM

And what would be good things I need to do to secure the network more?

0 Helpful

ADAM CRISP
Level 4
Level 4
In response to Mike Buyarski

‎07-27-2016 02:43 AM

Hi Mike,

I'm not sure it's possible to tell anybody how to secure their network without sitting down with them as a security consultant.

But you could start with the position that only Internet security devices should be connected to the Public Internet directly and those devices should be configured in a controlled manner.

So Is your router an Internet security device (or is it configurable to be so).  If yes then configure it to control access to itself and devices it protects. If not, then protect it with a configured security device.

Adam

0 Helpful
Customers Also Viewed These Support Documents