Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1410
Views
5
Helpful
1
Replies

Expressway Fraud Attempts

Anthony T
Level 5
Level 5

‎07-10-2019 07:36 AM

When fraud attempts come in to the Expressway, sometimes there is a Search without a corresponding Call Attempt.  From what I can tell, by default Call Attempts record the "Src-ip", but Search attempts do not.

 

Is there a way to log the source ip addresses for search attempts as well? Additional logging that can be enabled?

 

See below for example of Searches without source IP addresses, both SIP and H323 calls.

 

2019-07-09T01:48:00.045-07:00 tvcs: Event="Search Completed" Reason="Forbidden" Service="SIP" Src-alias-type="SIP" Src-alias="iwf@10.252.1.105" Dst-alias-type="SIP" Dst-alias="sip:+12024561111@my.domain" Call-serial-number="969417f3-0bfd-41d9-b1df-109b72d3c1f0" Tag="206af88b-5b0f-4a09-9320-180ce1711f59" Detail="found:false, searchtype:OPTIONS, Info:Policy Response" Level="1" UTCTime="2019-07-09 08:48:00,045"

 

2019-07-09T01:48:00.043-07:00 tvcs: Event="Search Attempted" Service="SIP" Src-alias-type="SIP" Src-alias="iwf@10.252.1.105" Dst-alias-type="SIP" Dst-alias="sip:+12024561111@my.domain" Call-serial-number="969417f3-0bfd-41d9-b1df-109b72d3c1f0" Tag="206af88b-5b0f-4a09-9320-180ce1711f59" Detail="searchtype:OPTIONS" Level="1" UTCTime="2019-07-09 08:48:00,043"

 

2019-07-09T01:47:59.316-07:00 tvcs: Event="Search Completed" Reason="Forbidden" Service="H323" Src-alias-type="H323" Src-alias="iwf@10.252.1.105" Dst-alias-type="H323" Dst-alias="+12024561111@my.domain" Call-serial-number="21a2e62b-7ae8-4452-bf13-5501a707c810" Tag="206af88b-5b0f-4a09-9320-180ce1711f59" Detail="found:false, searchtype:LRQ" Level="1" UTCTime="2019-07-09 08:47:59,316"

 

2019-07-09T01:47:59.315-07:00 tvcs: Event="Search Attempted" Service="H323" Src-alias-type="H323" Src-alias="iwf@10.252.1.105" Dst-alias-type="H323" Dst-alias="+12024561111@my.domain" Call-serial-number="21a2e62b-7ae8-4452-bf13-5501a707c810" Tag="206af88b-5b0f-4a09-9320-180ce1711f59" Detail="searchtype:LRQ" Level="1" UTCTime="2019-07-09 08:47:59,315"

 

Obviously the IP in the source alias field isn't useful, since it's a non-routable IP address and must therefore be fraudulent.

 

 

 

Labels:
0 Helpful
1 Reply 1

Anurag Srivastava1
Spotlight
Spotlight

‎07-15-2019 02:53 AM

Hello, 

 

The event logs you pasted are for inter working from SIP or H323 thats why it is not showing the call attempts.

to see this you need to catch the initial call for that number.

 

You can apply call policies to block that calls on expressway -E itself.

Please see the below link-

https://community.cisco.com/t5/telepresence-and-video/sip-spam-call-attack-and-mcu-and-vcs-e/td-p/2868418

 

Also to see the IPs you can go to search history and check the initial call before that iwf one and can find the source IP under path/hop.

Also you can block these call by applying below call polices by modifying according to your deployment-

(\d{10,30})@.*   (this will block any 10 -30 digits plus a domain)
(\d{10,30})  (this will block any 10 -30 digits without a domain

\+.(\d{10,30})@.* (blocks the number starting with +)

 

Thanks.

 

Please rate if it is helpful and mark as accepted solution if applicable....

 

 

 

 

Thanks
Please rate if it is helpful and mark as accepted solution if applicable....
Customers Also Viewed These Support Documents