I am having a UC560 and is connected with analog trunk lines. I have noticed that we are unable to do a outgoing call and every lines were busy with an outgoing international call. I found out while I put sh voice call status and found all the ports are dailed to a international number +3222288121 and it goes through dail-peer 0 (default dial-peer)..
Then i noticed that someone is hacking our UC560 and is making toll fraud. Their IP is 184.108.40.206. I found out using "sh sip-ua connections udp detail" command. I had shut down all the FXO ports and again no shut the same.. then all the calls are working and is going outside.
However, I want to know how to block these kind of toll fraud attacks.
This is a common issue. Essentially, you didn't restrict untrusted traffic from a public interface into this box, and since the UC500 will route off an inbound SIP or H323 invite, you're getting toll fraud. Technically no one is 'hacking' you. Metaphorically, you left your front door unlocked, so anyone can just walk in, pick up your phone, and make a call. That's essentially what is happening.
Dial-peer 0 has nothing to do with it.
Do a search in the forums on toll fraud, and you'll find some results.
Specifically, here is something I wrote up a while ago on this, which should shed some light on what is occurring.
To fix it, you want to restrict VoIP traffic from any untrusted source/interface. That's TCP/1720 and UDP/5060, but really security best practices say to deny everything from untrusted sources, unless you specifically know you want to allow it from somewhere. Hence, you should ahve a deny all,and only allow VoIP traffic from your ITSP (if you have one).
We've improved toll fraud prevention features with 15.1(2)T, but you can't take advantage of that on the UC500 yet until that release is built for the platform.
Certificate pinning is introduced on cisco meeting server starting in CMS 3.0 to help prevent man in the middle attack.But what is the Certificate Pinning?Traditionally, SSL Handshake consists on the validation of the server's certificate, let's say colla...
In a Clustering over the WAN deployment, securing the ICCS (Intra-Cluster Communication Signaling) traversing the WAN can be a requirement. The IPSEC VPN Policy between nodes can be configured to secure the ICCS Traffic.To quickly verify that the IPSEC is...
Attracted by the concept of dial plan and the passion of writing, I launched a challenge to write a workbook with practical scenarios covering in details this concept, the result is a workbook with 30 practice labs treating many components such route patt...
Understanding Media Negociation in Interworking / Traversal Call : SIP <-> H323 through Expressway. Inside SDP and H245. Both signaling and Media goes through the Expressway so the IP address of expressway is offered to both SIP and H.323 endpoin...
Sometimes you troubleshoot the phone presence status issue, or you are wondering how the status is retrieved by IMP, the best place to start is to look at the SIP Publish message sent by the CUCM to IMP, Capture the SIP Publish message using wireshark, in...