Solved: Attack on VCSE

Nikhil Jayan Kandampully · ‎09-23-2015

Hi All,

we have received below mentioned logs from ASA External Firewall, It seems like a DDOS attack to VCSE and I suggested customer to secure their firewall by using Cisco IPS pr other security devices to avoid such situation in future. Also I have updated the VCSE CPL file with attacker source address to block the same call in future. But Security team claiming that, this is not a DDOS attack and it’s VCSE Server issue.

Does anyone have any documents or any cases reports regards the same issue?? If yes please share those details and also share your comments and suggestion to avoid such situations in future.

VCSE Version X8.5

Thanks & Regards,

Nikhil Jayan

shawnangelo · ‎09-23-2015

This is fairly typical and part of how the VCS operates and it is somewhat the nature of the design.

Can you post some of the VCS-E search history?

You are likely seeing calls from this IP as well as other IP and spoofed aliases like 100@1.1.1.1, 1@cisco, etc.) People use scripts and tools like SIPVicous to scan public IP addresses for an open port 5060, then typically attempt to commit toll fraud by calling international numbers. You are on the right track using a CPL. There are also ways to use search rules to rotue these calls to a dead end, however I prefer using a CPL myself.

The issue here is that the VCS inbound connections need to be left open at the firewall so the VCS can accept calls from anyone (which is usually desired however if you have more of a privatized video network you could potentially lock this down more).

My suggestion would be to utilize the CPL and make it good and robust to block common attacks from source aliases like, 1.1.1.1, 2.2.2.2, cisco, asterisk, etc. And in addition to this, I would possibly request that the individual IP addresses that are hitting the VCSe are blocked by the firewall. Depending on your VCS version and deployment model, you can also use the built in firewall functionality of the VCS to block these calls. They will likely still be noticed by the ASA however.

View solution in original post

shawnangelo · ‎09-23-2015

This is fairly typical and part of how the VCS operates and it is somewhat the nature of the design.

Can you post some of the VCS-E search history?

You are likely seeing calls from this IP as well as other IP and spoofed aliases like 100@1.1.1.1, 1@cisco, etc.) People use scripts and tools like SIPVicous to scan public IP addresses for an open port 5060, then typically attempt to commit toll fraud by calling international numbers. You are on the right track using a CPL. There are also ways to use search rules to rotue these calls to a dead end, however I prefer using a CPL myself.

The issue here is that the VCS inbound connections need to be left open at the firewall so the VCS can accept calls from anyone (which is usually desired however if you have more of a privatized video network you could potentially lock this down more).

My suggestion would be to utilize the CPL and make it good and robust to block common attacks from source aliases like, 1.1.1.1, 2.2.2.2, cisco, asterisk, etc. And in addition to this, I would possibly request that the individual IP addresses that are hitting the VCSe are blocked by the firewall. Depending on your VCS version and deployment model, you can also use the built in firewall functionality of the VCS to block these calls. They will likely still be noticed by the ASA however.

Jens Didriksen · ‎09-23-2015

Would've been good to see the VCS-E call log; however, if these are H.323 calls take a look at https://supportforums.cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls - if these are SIP calls, disable SIP UDP on VCS-E unless this is required for telephony services - also see https://supportforums.cisco.com/discussion/12000336/blocking-calls-100vseip#4094490

/jens

Please rate replies and mark question(s) as "answered" if applicable.