03-18-2016 10:03 PM - edited 03-18-2019 05:43 AM
Dear All,
Unwanted automatic call hitting on my Expressway E. start from 100@1.1.1.1.
how i can avoid or block this so that such call will stop hiting on my EXP_E.
Also suggest me if i want to block temporary external public incoming VC call and how can i do this ?
Thanking you.
Solved! Go to Solution.
03-19-2016 03:44 AM
This is a very well known issue which has been raised here on numerous occasions over the last few years; take a look at some of the threads linked to in this thread: https://supportforums.cisco.com/discussion/12484441/hack-attack-vcs-express and this might be of interest:.
https://supportforums.cisco.com/discussion/12917996/sip-spam-call-attack-and-mcu-and-vcs-.e and
In short, you can block these types of calls by a combination of CPL and search rules, the relevant section in the admin guide is referenced in some of the threads.
You won't be able to stop these calls hitting your E, but at least you can prevent these calls from succeeding, yes, they will show up in the call log, but that's it.
If you want to block all incoming external calls, then you would need to put it behind a firewall and not allow anything from external.
By the way, for SIP calls you can prevent a lot of these calls by disabling SIP UDP, however, preventing H.323 calls ain't that simple.
/jens
Please rate replies and mark question(s) as "answered" if applicable.
03-19-2016 03:44 AM
This is a very well known issue which has been raised here on numerous occasions over the last few years; take a look at some of the threads linked to in this thread: https://supportforums.cisco.com/discussion/12484441/hack-attack-vcs-express and this might be of interest:.
https://supportforums.cisco.com/discussion/12917996/sip-spam-call-attack-and-mcu-and-vcs-.e and
In short, you can block these types of calls by a combination of CPL and search rules, the relevant section in the admin guide is referenced in some of the threads.
You won't be able to stop these calls hitting your E, but at least you can prevent these calls from succeeding, yes, they will show up in the call log, but that's it.
If you want to block all incoming external calls, then you would need to put it behind a firewall and not allow anything from external.
By the way, for SIP calls you can prevent a lot of these calls by disabling SIP UDP, however, preventing H.323 calls ain't that simple.
/jens
Please rate replies and mark question(s) as "answered" if applicable.
03-19-2016 11:37 PM
Hi Jens,
If I make my SIP UDP port off from Config-Protocol-Sip- UDP mode off then what will affected becoz of this changes, as my setup is live and i dont wanna take any risk.
kindly guide me whether this will affect any incoming call or any outgoing call or both ?
03-20-2016 12:31 AM
SIP UDP is disabled by default by Cisco, and should only be turned on if you need to support voice services on the Expressway, it is not required for video.
(See the admin guide).
An upside to having SIP UDP turned off is that outbound calls will connect quicker - only "downside" I have found is that I'm not able to call hostnames, ie. fishtank.lifesize.com - but that's an address type we never use anyway. :)
/jens
Please rate replies and mark question(s) as "answered" if applicable.
03-20-2016 04:07 AM
03-20-2016 02:54 PM
Turning off SIP udp will stop those particular calls, however, you won't be able to stop the H.323 calls, you can only ensure they don't succeed.
They will still show up in your call history though, just like the ones in your screenshot. (None of those calls shown in your screenshot have succeeded by the way.)
Suggest you implement CPL to ensure these types of calls won't succeed, see the admin guide http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-7.pdf
page 242 onwards for CPL information and examples.
/jens
Please rate replies and mark question(s) as "answered" if applicable.
03-21-2016 08:44 PM
H jens,
I created some call policy to block such type of call.. source -destination-reject..
i have 1 question ...
in our premises aur dialing pattern for External call is extension@EXP_E ip. our extension is of 6 digit only ...so anything comes more than 6 digit then how should i block ???
EX. 3000000@EXP_P IP ....here extension is having 7 digit so this must be block....
if 300000@EXP_IP ip then this must be allow..... so on....
.*@EXP_IP indicates any digit with exp_E_ip..... so i want to block more then 6 digit then how i can ??????
03-22-2016 08:24 AM
Even though you specified an "Unauthenticated User", the built in web interface for the CPL rules are based on authenticated requests. If you look at the generated CPL script, it uses "origin" as the source, it should read "unauthenticated-origin". You'll need to look in the search history of the calls to see if they appear as authenticated or unauthenticated. If unauthenticated, you'll need to create a custom CPL script yourself to block these calls. You can use the VCS Locate tool under Maintenance > Tools to check if a CPL is working as intended.
Just to confirm, did you disable SIP UDP, as that will prevent most of these calls without the need of a CPL script.
We can help with creating a CPL script, just need to know some of the source/destination address and if the calls are authenticated or not.
03-21-2016 05:59 AM
As Jens suggests, you should disable SIP UDP, as it's not recommended for video and even disabled by Cisco by default. This will prevent most of these unwanted calls, however as mentioned this will not stop all attempts. You can use CPL to prevent the remaining calls from consuming call licenses, there are some example CPL scripts in the forums depending on the how the incoming call is formatted.
03-23-2016 02:45 AM
03-23-2016 04:31 AM
Dear Nikhil,
I think u blocked everything :D
Kindly check ur Destination Field...dont make any( .* )
Regards,
Vinod Gupta
03-23-2016 06:46 AM
Nikhil didn't block everything, the rules are based on source and destination, so the calls must match both fields in order to take affect. So because he used .* as the destination which does mean anything, that rule won't work unless the source address is matched as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide