Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1209
Views
5
Helpful
1
Replies

UC560 Toll fraud

Thirruselvaa Ramanathan
Level 1
Level 1

‎10-26-2010 01:24 AM - edited ‎03-16-2019 01:32 AM

Hi Friends,

I am having a UC560 and is connected with analog trunk lines. I have noticed that we are unable to do a outgoing call and every lines were busy with an outgoing international call. I found out while I put sh voice call status and found all the ports are dailed to a international number +3222288121 and it goes through dail-peer 0 (default dial-peer)..

Then i noticed that someone is hacking our UC560 and is making toll fraud. Their IP is 41.196.151.179. I found out using "sh sip-ua connections udp detail" command. I had shut down all the FXO ports and again no shut the same.. then all the calls are working and is going outside.

However, I want to know how to block these kind of toll fraud attacks.

Thanks,

Thirru

Labels:
0 Helpful
1 Reply 1

Steven Holl
Cisco Employee
Cisco Employee

‎10-26-2010 09:18 AM

This is a common issue.  Essentially, you didn't restrict untrusted traffic from a public interface into this box, and since the UC500 will route off an inbound SIP or H323 invite, you're getting toll fraud.  Technically no one is 'hacking' you.  Metaphorically, you left your front door unlocked, so anyone can just walk in, pick up your phone, and make a call.  That's essentially what is happening.

Dial-peer 0 has nothing to do with it.

Do a search in the forums on toll fraud, and you'll find some results.

Specifically, here is something I wrote up a while ago on this, which should shed some light on what is occurring.

https://supportforums.cisco.com/message/3180799#3180799

To fix it, you want to restrict VoIP traffic from any untrusted source/interface.  That's TCP/1720 and UDP/5060, but really security best practices say to deny everything from untrusted sources, unless you specifically know you want to allow it from somewhere.  Hence, you should ahve a deny all,and only allow VoIP traffic from your ITSP (if you have one).

We've improved toll fraud prevention features with 15.1(2)T, but you can't take advantage of that on the UC500 yet until that release is built for the platform.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents