Solved: That's great and your issue

jbankstonfla · ‎10-30-2015

I have a new install of an MX800 registered to TPaaS in the cloud, and the unit is constantly receiving calls from 100@ and its IP address. This started over the weekend and is occurring every 30 seconds like clockwork. Is there any way in the MX800 that I can put in filter restrictions to block calls from probes beginning at 100@ or is this a TPaaS thing?

Thanks, Jeff

Acevirgil de Ocampo · ‎10-30-2015

Looks like a someone on the internet is scanning SIP known devices using automated scanning tools and looking for PBX system to route calls into it to reduce international call charges or trying to hack and break PBX devices. Those calls are sent directly to your MX800 IP address.

Is your MX800 behind the firewall or directly connected to Public and exposed to internet?

Try turning off the SIP listening port for incoming connections on the SIP TCP/UDP ports on your MX800 under System Configuration > SIP settings. If turned off, the endpoint will only be reachable through the SIP registrar CUCM or VCS via TPaas in the cloud.

regards,

Acevirgil

View solution in original post

Patrick Sparkman · ‎10-30-2015

I presume the system is using a public rechable IP address? If it is using a public IP, you should put it behind your firewall using NAT, or only allow traffic from the TPaaS cloud. If it's registered to the cloud using SIP, you can turn off SIP ListenPort and enable SIP Outbound as well to help prevent these calls, see bug CSCue55239. There are some form of these calls that will show up as coming from "cisco", the only way to prevent these is to put the endpoint behind your firewall and utilize NAT or an ACL.

Jens Didriksen · ‎10-30-2015

"There are some form of these calls that will show up as coming from "cisco"

Not seeing many of those anymore, what I am seeing a helluva lot of these days are the same type of calls, but without source and destination alias.

Easily blocked with CPL though, using origin as "" and destination ".*" - just make sure it's for unauthenticated origins only as using it for authenticated will block presence and authentication for external JabberVideo clients.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Acevirgil de Ocampo · ‎10-30-2015

Looks like a someone on the internet is scanning SIP known devices using automated scanning tools and looking for PBX system to route calls into it to reduce international call charges or trying to hack and break PBX devices. Those calls are sent directly to your MX800 IP address.

Is your MX800 behind the firewall or directly connected to Public and exposed to internet?

Try turning off the SIP listening port for incoming connections on the SIP TCP/UDP ports on your MX800 under System Configuration > SIP settings. If turned off, the endpoint will only be reachable through the SIP registrar CUCM or VCS via TPaas in the cloud.

regards,

Acevirgil

jbankstonfla · ‎10-30-2015

Thank you for the tip, I am having the client try that right now.

-Jeff

jbankstonfla · ‎11-02-2015

client tested it late yesterday afternoon and it worked great! I didn't see anything in the logs that indicated where this was coming from, so my impression is that this was from a spoofed IP making these probing calls.

The TPaaS provider has been useless troubleshooting this, no idea how else we were supposed to find this issue, a big thank you.

Acevirgil de Ocampo · ‎11-02-2015

That's great and your issue have been resolved and you're very much welcome.

Also to add, it's best to hide your endpoint from this internet activities and as Patrick suggestion deploy your endpoint behind the firewall and have NAT on it and apply appropriate ACL.

regards,

Acevirgil

MX800 registered to TPaaS receiving calls from 100@ numbers