cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1188
Views
5
Helpful
11
Replies

Toll Free Calls Fraud on Internet

omendieta77
Level 1
Level 1

Hi folks,

I don't know if you have been going through this problem.

Many clients that have acces to Internet through ADSL service are having their phone/voice lines busy because an external user through Internet takes their lines to make world wide phone calls, charging this cost to the ADSL user.

The fraud is related to the way the hacker takes the gateway that belongs to another user in another country and provides phone services.

PLease let me know if you have heard about this. Is there any vulnerability?

Thanks in advance.

Orlando

11 Replies 11

shikamarunara
Level 4
Level 4

You need to get in touch with the IXC or whoever is providing the SIP telephony service. They will have a CDR of all calls and the IP address that the call originated from. The reason that these fraudsters are able to make these calls is because there is basically no real authentication at the IXC SIP peer. It should require a username, password, and a hardcoded static IP address (in other words, not just any host should be able to connect to the SIP proxy and generate calls, only hosts from a specific static IP address.) If you can't do that, there will pretty much always be fraud use. Change to a telephony provider that has some security.

HTH - don't forget to rate posts!

-Shikamaru

Hi.

Thanks 4 your reply.

The thing is that behind the ADSL modem we have a pix and a router with CCME in the LAN that is the local PBX(With SCCP phones, there are no H323/SIP trunks). So the attack was made from internet and they reached the LAN to make phone calls (Toll Fraud) using the IP PBX in the LAN through the COs connected to that router. Do you know about any bug, or vulnerability?

Thanks once again!

Regards,

ORlando

I'm pasting some info collected about it.

And take a look to the following IP address:

203.121.71.211.

The following phone calls are made from somewhere in Internet taking advantage of some vulnerability.

Regards,

Orlando.

*************

WGIRtr01#sho voice call active voice compact

A/O FAX T Codec type Peer Address IP R:

Total call-legs: 8

513 ANS T6 g729r8 VOIP P10101010101 203.121.71.211:18188

514 ORG T6 g729r8 TELE P9001095367356257

515 ANS T6 g729r8 VOIP P10101010101 203.121.71.211:18196

516 ORG T6 g729r8 TELE P90010951534883

517 ANS T4 g729r8 VOIP P10101010101 203.121.71.211:18204

518 ORG T4 g729r8 TELE P9001021260860325

519 ANS T5 g729r8 VOIP P10101010101 203.121.71.211:18212

520 ORG T5 g729r8 TELE P9001095015569

If 203.121.71.211 is not your own address, then it has nothing to do with your inside network or with a bug or exploit. Like I said before, if you SIP peer on the Internet is not secure, anyone could connect to it and make calls. It wouldn't matter where the connection came from. That's why I said that if your IXC can't lock it down properly, find another one.

Please rate this post if it helps

-Shikamaru

The thing is that we do not use any SIP connection through internet. It's just the CCME in the LAN that has been accesed from Internet...somehow. That CCME do not have any voice/data traffic from/to Internet, and even that, it happened.

The CCME only has dial-peers to connect to the local PSTN. We don't have dial-peers to any other system/PBX.

Regards,

Orlando

You didn't provide which version of Call Manager are you using?

the CCME version is 3.3.

IOS 12.3.14T3

thanks.

One vulnerability I know about is(even not using SIP):

http://www.cisco.com/en/US/products/products_security_advisory09186a00801ea156.shtml

but this shouldn't affect you. Having in mind the facts you detected, you may have do dig deeper for some configuration problems.

OK thanks,

let me take a look to the link

Regards,

Orlando

Hi Orlando . I have the same problem like you . You must stop udp:5060 and tcp:5060 whit ACL or :

Router(config)#sip-ua

Router(config-sip-ua)#no transport udp

Router(config-sip-ua)#no transport tcp

Router(config-sip-ua)#end

for more info : http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml

Hi,

thanks a lot 4 your reply.

I was out of the office, and now i'm back to this case.

I'll try, and let you know if it works 4 me.

Have a nice day.

Orlando