03-20-2013 12:10 PM - edited 03-18-2019 12:48 AM
Hi all,
I have my Expressway with a public IP and I can see in the logs several call attempts with for example:
Source Destination
sip:205@expressway IP sip:xxxxx148355@expressway IP
sip:206@expressway IP sip:xxxxx148355@expressway IP
sip:208@expressway IP sip:xxxxx148355@expressway IP
sip:209@expressway IP sip:xxxxx148355@expressway IP
sip:11@expressway IP sip:xxxxx148355@expressway IP
sip:1000@expressway IP sip:xxxxx148355@expressway IP
My question is what is 205, 206, 208@expressway IP? I don´t have such equipment with this dial numbers, but seems that they were registered on expressway?
Can someone help me to clarify what is this numbers?
Thanks in advance.
03-20-2013 01:06 PM
Hey Nuno,
These are spamming attempts. Unfortunately, if you have SIP DNS records someone will eventually try using your SIP gateway to relay calls. You can attempt to cut down on some of the with the use of 'reject' Call Policy
We use:
Source : .*
Dest : \d*@IPaddress
and
Source: (.*)asterisk(.*)
Dest: .*
This should cut down on the calls trying, but will not stop the attempts from happening.
Long and short, this is something you may well have to live with.
Chris
03-20-2013 03:58 PM
Hi,
Thanks for your reply.
My question is why the source is with that format (206@expressway IP). Should be other source!
Why 206@xxxx, 207@xxx, 11@xxx? What is 206, 207, 11? It was registered with this numbers in Expressway? How?
Thanks.
03-21-2013 12:57 AM
Are you sure they were registered - do they appear on the registration or registration history web page? They could be unregistered endpoints attempting to make calls through your VCS Expressway.
Thanks,
Guy
03-20-2013 05:49 PM
They are just try to dial randon but common extension numbers,
03-21-2013 11:26 AM
OK.
The Call Policy mode shoul be Local CPL and Call Policy rules the ones that you provided, right?
Thanks
03-20-2013 01:20 PM
I'd suggest turning off SIP UDP if it's on and you don't require it - most SIP video conferencing kit uses TCP or TLS and lot of spam/toll fraud attempts come on SIP UDP. It's off by default in newer VCS releases now too.
Thanks,
Guy
Sent from Cisco Technical Support iPad App
03-21-2013 02:15 AM
Hi,
That is a try to make costs in your ISDN gw or Block your traversal lics.
It is brute Force attack
Sent from Cisco Technical Support iPad App
03-21-2013 08:21 PM
Hi Swinster,
The rule what you suggest, you configured on the VCS c or Vcse ? It is depend from the registration behaviour --> on the Vcse or Vcsc . Where is your registrations from external ? Proxied to the Vcsc or stay on the Vcse ?
Sent from Cisco Technical Support iPhone App
03-22-2013 08:37 AM
We configure on the VCSe - at the moment we don't use external registrations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide