Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6768
Views
10
Helpful
6
Replies

Nuisance H323 calls on SX20

Go to solution
Jerome_N8
Level 1
Level 1

‎10-30-2014 08:41 AM - edited ‎03-18-2019 03:36 AM

Hi,

 

I'm having an issue with an SX20 device that keeps receiving nuisance h323 calls, no IP address is displayed and it just says "cisco".  We have received over 100 of these calls.  As a work around I have blocked all h323 on the firewall and only allowed a few IP's of known addresses that we use.

 

I tried to look in the logs of the SX20 to see if I could find the IP that was making the spam calls so I could block it but I couldn't find anything useful in there.  Is there a better way around this as now I need to manually add an IP on the firewall every time they want to dial someone new?

 

Thanks

3 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Martin Koch
VIP Alumni
VIP Alumni

‎10-30-2014 09:49 AM

Hello!

 

Yes, I noticed that in VCS logs as well.

Before the common scans were on sip/5060/udp.

The same issue you might have when SIP is expoded to the public, especially the udp port, but there are also scans on tcp and at one point there will be TLS as well.

Its like spam, the spammers adopt.

For now I would say, as you did put it behind a firewall and only allow sources you really want to have communication with (which might not be ideal or even possible) or use a call control, like vcs or cucm+expressway upfront.

If you have your firewall upfront you could log the ip addresses which try to do h323 and sip connections, you could try to block them. But its also just playing hide and seek, there are no common ips used for scanning and anyhow you do not know where they scan from, often compromised systems are used for these scans.

Some firewalls have geo-ip features, so you could block continents / countries / areas which you are not communicating with.

 

Anyhow, consider to use a call control and do admission control there.

 

Please rate this posting using the stars below.

 

Please remember to rate helpful responses and identify

View solution in original post

Go to solution
Jens Didriksen
Level 9
Level 9
In response to Wee Teck Ng

‎10-30-2014 10:29 PM

This issue has been raised in a few threads already, suggest you see:

https://supportforums.cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

View solution in original post

6 Replies 6

Go to solution
Martin Koch
VIP Alumni
VIP Alumni

‎10-30-2014 09:49 AM

Hello!

 

Yes, I noticed that in VCS logs as well.

Before the common scans were on sip/5060/udp.

The same issue you might have when SIP is expoded to the public, especially the udp port, but there are also scans on tcp and at one point there will be TLS as well.

Its like spam, the spammers adopt.

For now I would say, as you did put it behind a firewall and only allow sources you really want to have communication with (which might not be ideal or even possible) or use a call control, like vcs or cucm+expressway upfront.

If you have your firewall upfront you could log the ip addresses which try to do h323 and sip connections, you could try to block them. But its also just playing hide and seek, there are no common ips used for scanning and anyhow you do not know where they scan from, often compromised systems are used for these scans.

Some firewalls have geo-ip features, so you could block continents / countries / areas which you are not communicating with.

 

Anyhow, consider to use a call control and do admission control there.

 

Please rate this posting using the stars below.

 

Please remember to rate helpful responses and identify

Go to solution
Wee Teck Ng
Level 1
Level 1
In response to Martin Koch

‎10-30-2014 10:11 PM

I raised a ticket with TAC and he suggested to put my endpoints in private network, to see if I continue to receive spam calls. This doesnt solve my problem. I think the quality of Cisco's reply is starting to fall.

I noticed the spam calls are coming at a 5 minutes interval. Easily can get 100 calls in a day for each endpoints.

 

The only solution is to put it behind a VCS.E?

0 Helpful

Go to solution
Jens Didriksen
Level 9
Level 9
In response to Wee Teck Ng

‎10-30-2014 10:29 PM

This issue has been raised in a few threads already, suggest you see:

https://supportforums.cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

Go to solution
Jerome_N8
Level 1
Level 1
In response to Jens Didriksen

‎10-31-2014 01:47 AM

Thanks guys, there is no VCS-E or CUCM available in this instance so I guess there's no other choice right now apart from blocking everything like we have done.  

 

It's a minor inconvenience to add new ip's to the allowed list but not that bad as they don't make too many video calls to new destinations.

 

 

0 Helpful

Go to solution
Ali Ibraheem
Level 1
Level 1
In response to Jerome_N8

‎11-06-2014 05:49 AM

Hi Guys,

Please view the below link for the solution and for an up-to-date IP black list:

http://www.videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/

Thanks,

Ali Ibraheem

0 Helpful

Go to solution
Jerome_N8
Level 1
Level 1
In response to Ali Ibraheem

‎11-10-2014 01:25 AM

Thanks Ali, hope we hear some news from the vendors about this soon.

0 Helpful
Customers Also Viewed These Support Documents