cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1195
Views
0
Helpful
9
Replies

Expressway source

nuno.lamelas
Level 1
Level 1

Hi all,

I have my Expressway with a public IP and I can see in the logs several call attempts with for example:

Source                                                  Destination

sip:205@expressway IP                       sip:xxxxx148355@expressway IP

sip:206@expressway IP                       sip:xxxxx148355@expressway IP

sip:208@expressway IP                       sip:xxxxx148355@expressway IP

sip:209@expressway IP                       sip:xxxxx148355@expressway IP

sip:11@expressway IP                          sip:xxxxx148355@expressway IP

sip:1000@expressway IP                       sip:xxxxx148355@expressway IP

My question is what is 205, 206, 208@expressway IP? I don´t have such equipment with this dial numbers, but seems that they were registered on expressway?

Can someone help me to clarify what is this numbers?

Thanks in advance.

9 Replies 9

Chris Swinney
Level 5
Level 5

Hey Nuno,

These are spamming attempts. Unfortunately, if you have SIP DNS records someone will eventually try using your SIP gateway to relay calls. You can attempt to cut down on some of the with the use of 'reject' Call Policy

We use:

Source :     .* 

Dest :          \d*@IPaddress

and

Source:     (.*)asterisk(.*)

Dest:          .* 

This should cut down on the calls trying, but will not stop the attempts from happening.

Long and short, this is something you may well have to live with.

Chris

Hi,

Thanks for your reply.

My question is why the source is with that format (206@expressway IP). Should be other source!

Why 206@xxxx, 207@xxx, 11@xxx? What is 206, 207, 11? It was registered with this numbers in Expressway? How?

Thanks.

Are you sure they were registered - do they appear on the registration or registration history web page? They could be unregistered endpoints attempting to make calls through your VCS Expressway.

Thanks,

Guy

They are just try to dial randon but common extension numbers,

OK.

The Call Policy mode shoul be Local CPL and Call Policy rules the ones that you provided, right?

Thanks

gubadman
Level 3
Level 3

I'd suggest turning off SIP UDP if it's on and you don't require it - most SIP video conferencing kit uses TCP or TLS and lot of spam/toll fraud attempts come on SIP UDP. It's off by default in newer VCS releases now too.

Thanks,
Guy

Sent from Cisco Technical Support iPad App

rasimyigit
Level 1
Level 1

Hi,

That is a try to make costs in your ISDN gw or Block your traversal lics.
It is brute Force attack

Sent from Cisco Technical Support iPad App

rasimyigit
Level 1
Level 1

Hi Swinster,

The rule what you suggest, you configured on the VCS c or Vcse ? It is depend from the registration behaviour --> on the Vcse or Vcsc . Where is your registrations from external ? Proxied to the Vcsc or stay on the Vcse ?

Sent from Cisco Technical Support iPhone App

We configure on the VCSe - at the moment we don't use external registrations.