Solved: Unsolicited audio calls (war dialing)

Shane Maddox · ‎10-29-2014

I have an end user who is experiencing a large number of unsolicited audio-only calls directed toward his videoconferencing units, and as a measure to prevent disruption of ongoing classes we were wanting to put a capset filter in place (using the “xConfiguration Experimental CapsetFilter” command) that would block audio-only calls. However, the syntax for the capset filter command is not documented in any of the guides available on the cisco.com website, and so I was wondering if you could provide that syntax.

We had success with blocking audio-only calls on his older MXP units in the menu under general. This option isn't there on the C-series And SX-series. It looks like applying the same filters to his C and SX series units should eliminate the issue.

Martin Koch · ‎10-30-2014

It might be interesting to see how the video systems are deployed.

If the systems are on the VCS-C they are in general on private ip addresses.

On some univeristies I had seen they also used public ip addresses on the inside,

sometimes even without a firewall.

If its an h323 direct call to a vcs registered device the calls will even show up on the VCS.

In short, you should figure out if the scan calls are done to the endpoint or to the vcs.

if to the endpoint, I would see that SIP and H323 are blocked to the endpoint.

If the calls get through the VCS you should see what you could do on the VCS.

(like disabling sip-udp, have CPLs to block calls, slightly change your number plan, ...)

Many of these things were also discussed here before, so I would recommend some search / browsing through the forum, ...

Please remember to rate helpful responses and identify

View solution in original post

dpetrovi · ‎10-30-2014

Please, move this question into Telepresence community to get the visibility with MXP experts. This community is for Cisco Unified MeetingPlace and Cisco WebEx Meetings Server products.

I hope this will help.

-Dejan

Shane Maddox · ‎10-30-2014

Thank you Dejan.

Patrick Sparkman · ‎10-30-2014

Do you have a copy of the call history you could show us, you might be facing the same thing several of us are. See here: sourceh323idcisco-incomingcalls.

Chris Swinney · ‎10-30-2014

Hi smaddox12

To add to Patrick's comments, you say 'units', is the a gatekeeper or VCS involved? How are they protected from the public Internet - how are they deployed and what is the topology? I take it that the calls are IP and not via an ISDN Gateway or some such?

We too have seen a few of these "Cisco" calls but are trying to ensure that all customer have their unit is a secure VLAN behind a VCS. Yes, the gatekeeper gets hit, but we can control that a little easier.

Cheers

Chris

Shane Maddox · ‎10-30-2014

He has an expressway (outside) control (inside) and TMS with a firewall between the expressway and control. I do believe it is on a secure VLAN. It's a university network and I wouldn't expect any less.

Yes the calls are coming in as audio only H323.

Martin Koch · ‎10-30-2014