Thanks for the heads up

Anthony Thomson · ‎05-15-2015

I've noticed today that the ARQ now comes in with a random 16 character source value, and now they are also trying to register to the VCS-E if that doesn't work. Time to make sure you have a registration policy in place, and that your CPL doesn't depend on the 'cisco' source value.

Patrick Sparkman · ‎05-15-2015

Thanks for the heads up Anthony, I'll check my VCS from time to time and see what, if anything shows up.

Regarding the registration policy, it's best anyway to have one in place where you're checking the credentials of what attempts to register to your VCS Expressway.

Too bad Cisco doesn't put some kind of announcement or notice in their VCS or Expressway deployment guides to help us address these issues, with steps on trying to help mitigate the attempts either by providing examples or suggestions.

Melvin Gerardo Barquero Quiros · ‎01-27-2016

Hello Patrick,

If you are trying to stop the spam calls coming as "cisco" or "100" you need to apply a CPL in the VCS to reject them.

This can also be mitigated by disabling the SIP UDP in the VCS Expressway under:

Configuration>Protocols>SIP>SIP UDP mode off

If this port is enabled it can be scanned from the outside.

The reason this can lead to issues like this one is because UDP does not require any acknowledgements or connection to be built before sending data. This allows attackers to send hundreds of sip invites to the ip address of the expressway using a UDP port (5060). Most often when this happens, the sip invite will look like it was sourced from the VCS because it will use the VCS ip address in the invite. Most of the time this occurs because attackers are trying to find a path to your PSTN so that they can use your infrastructure to place free phonecalls (Toll Fraud). If you do not have a route to a PSTN from yoru VCS, it will simply eat up licenses and cause the VCS to use unnecessary resources.

About 99% of attacks are sourced using UDP like this, so by disabling it you will likely see the issue go away. That is not to say it is not possible for this to happen with TCP, but it is much less likely.

Check on the destination (normally 10 or more digits) of this calls and apply a CPL accordingly.

For example:

CPL >create CPL>

source> empty>

destination: \d{6.+} --> 6 or more digits

Action: reject

Another ReGex you can use is:

\d{6,20} --> 6 to 20 digits.

--------------------------------------------------------------------

Why the source has to be in blank?

--> Source pattern:

The alias that the calling endpoint used to identify itself when placing the call.
If this field is blank, the policy rule applies to all incoming calls from uauthenticated
users, meaning calls where the endpoint making the call is not either:

- locally registered and authenticated with the VCS, or
- registered and authenticated to a neighbor which in turn has authenticated with the local VCS

Page 229:
http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/admin_guide/Cisco-VCS-Administrator-Guide-X8-5-1.pdf

--------------------------------------------------------------------

The point of the CPLs is to avoid the VCS from doing search rules, the order of operations on the VCS is:

1) Authentication
2) Transforms
3) Sip Routes
4) Admin Policy (CPL) --> This is where we apply the rule.
5) User Policy (FindMe)
6) Search rules

--------------------------------------------------------------------

RandyWatsonCisco · ‎04-07-2020

We are having problems with longer destination numbers
How does the syntax actually look in the cpl file?
Not totally sure if my understanding of this is an accceptable syntax
Here's my example:

<taa:rule unauthenticated-origin=".*" destination="\d{6-20}">
<reject status="403" reason="Forbidden"/>
</taa:rule>
<taa:rule unauthenticated-origin=".*" destination="\d{6-20}@<Domain>">
<reject status="403" reason="Forbidden"/>
</taa:rule>

"Cisco" source spam calls stepped up in complexity