Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
3
Replies

Rogue Endpoint Registrations on Expressway E's consuming Smart Licensing

mshafer@andrew.cmu.edu
Level 1
Level 1

‎03-09-2021 06:20 AM

We are currently having issues with Rogue IP's registering endpoints to our Expressway E servers.  As a result, its mass consuming our Smart Telepresence Endpoint devices and putting our servers frequently out of compliance.  Our Expressway C/E clusters have the following Roles v12.6.4:

Expressway E

1. MRA

2. B2B Calling

Expressway C

1. MRA

2. B2B Calling

3. Registrar

We put security measures such as the Automated Detection on the Expressway E and IP Based Firewall Rules.  But the Firewall rules are reactive and the attacks persist from other IP's.  For the Expressway C we have allow lists setup for registrations and we turned off SIP Expressway registrations for our domain.  Even with these in place we are still getting the following registrations being accepted on the Expressway E for Rogue devices.

2021-03-09T03:03:31.250-05:00 tvcs: Event="Registration Requested" Service="SIP" Src-ip="35.239.198.156" Src-port="40945" Protocol="TLS" AOR="1001@128.2.104.78" Contact="sips:1001@10.128.0.2:41763" Duration="60" Level="1" UTCTime="2021-03-09 08:03:31,247"

2021-03-09T03:03:31.250-05:00 tvcs: Event="Registration Accepted" Service="SIP" Src-ip="35.239.198.156" Src-port="40945" Protocol="TLS" AOR="1001@128.2.104.78" Contact="sips:1001@10.128.0.2:41763" Duration="60" Level="1" UTCTime="2021-03-09 08:03:31,247"

2021-03-09T03:04:32.241-05:00 tvcs: Event="Registration Removed" Reason="Endpoint unresponsive" Service="SIP" Src-ip="35.239.198.156" Src-port="40945" Protocol="TLS" AOR="1001@128.2.104.78" Contact="sips:1001@10.128.0.2:41763" Level="1" UTCTime="2021-03-09 08:04:32,241"

How can we pro-actively block these types of attacks while still allowing for B2B Calling, MRA, and Smart Licensing to function properly?

 

0 Helpful
3 Replies 3

Nithin Eluvathingal
VIP
VIP

‎03-09-2021 08:15 PM

Use Registration restrict policy.

 

 

 

https://www.youtube.com/watch?v=utVwJZ-UdTg



Response Signature


0 Helpful

mshafer@andrew.cmu.edu
Level 1
Level 1

‎03-10-2021 04:52 AM

Nithin,

 

Thanks.  We have a strict allow list that has just 1 endpoint for registration on the Expressway C.  This was setup per TAC's guidance.  However, this issue still persists.  These rogue registrations are still making it through and oversubscribing our licenses on the Expressway E.  We don't have the registrar role turned on for our Expressway E's.   Should we turn on that functionality and then turn on the allow list to further restrict devices?  Is there a way to restrict Smart Licenses for Telepresence Endpoints to only be handed out to specific servers?  

0 Helpful

mshafer@andrew.cmu.edu
Level 1
Level 1

‎03-12-2021 06:23 AM

Spoke with a TAC Engineer again yesterday on the subject.  As a workaround, we agreed that turning on the Allow List on the Expressway E should be a good layer of security and making sure it has no device entries in the list.  This should hopefully block any attempts to register to our E's.  

 

0 Helpful
Customers Also Viewed These Support Documents