UC560 Toll fraud

Thirruselvaa Ramanathan · ‎10-26-2010

Hi Friends,

I am having a UC560 and is connected with analog trunk lines. I have noticed that we are unable to do a outgoing call and every lines were busy with an outgoing international call. I found out while I put sh voice call status and found all the ports are dailed to a international number +3222288121 and it goes through dail-peer 0 (default dial-peer)..

Then i noticed that someone is hacking our UC560 and is making toll fraud. Their IP is 41.196.151.179. I found out using "sh sip-ua connections udp detail" command. I had shut down all the FXO ports and again no shut the same.. then all the calls are working and is going outside.

However, I want to know how to block these kind of toll fraud attacks.

Thanks,

Thirru

Steven Holl · ‎10-26-2010

This is a common issue. Essentially, you didn't restrict untrusted traffic from a public interface into this box, and since the UC500 will route off an inbound SIP or H323 invite, you're getting toll fraud. Technically no one is 'hacking' you. Metaphorically, you left your front door unlocked, so anyone can just walk in, pick up your phone, and make a call. That's essentially what is happening.

Dial-peer 0 has nothing to do with it.

Do a search in the forums on toll fraud, and you'll find some results.

Specifically, here is something I wrote up a while ago on this, which should shed some light on what is occurring.

https://supportforums.cisco.com/message/3180799#3180799

To fix it, you want to restrict VoIP traffic from any untrusted source/interface. That's TCP/1720 and UDP/5060, but really security best practices say to deny everything from untrusted sources, unless you specifically know you want to allow it from somewhere. Hence, you should ahve a deny all,and only allow VoIP traffic from your ITSP (if you have one).

We've improved toll fraud prevention features with 15.1(2)T, but you can't take advantage of that on the UC500 yet until that release is built for the platform.