Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
337
Views
0
Helpful
2
Replies

Calls from Cisco?

hashimoto.kotaro
Level 3
Level 3

‎11-05-2014 01:38 AM - edited ‎03-18-2019 03:37 AM

Hi all,

 

These days our customer's endpoint(C20 TC5.1.3) repeatedly receives calls from unknown endpoints(or MCU?) .

And it happens once every 10 minutes, tops.

 

The result of xhistory is as follows.

  Call Type:none
  IP address:H.323Cisco
  CallRate:64 or 128

 

This endpoint is not deployed behind VCS-E, but just a static NAT router.

SIP is disabled on this endpoint and calls are H.323 but it seems like SIP Ghost call or like that...

Does anybody know what these calls are ?

 

Regards,

Kotaro

 

 

 

Labels:
0 Helpful
2 Replies 2

jvodny
Level 1
Level 1

‎11-05-2014 04:55 AM

Hi Kotaro,

 

It is "normal attack". Someone has started attacks to try call through H.323 available device to PSTN numbers. It is changing source IP address so you are not able to filtr based on source IP.

I can see such attacks on our VCSEs where all this attacks are discarded.

Your issue is you have old SW version and you use static NAT.

Best solution for you is to use VCSE. If not possible try to upgrade to latest SW version and use ACL on your router to allow calls from known IP addresses only.

 

Josef

0 Helpful

Patrick Sparkman
VIP Alumni
VIP Alumni
In response to jvodny

‎11-05-2014 05:36 AM

This is even happening on new software releases, as these attacks are happening using the H323 protocol, nothing on the codec can be done to prevent the attacks without breaking H323.  Just like any other time, people are adapting, and trying different methods to exploit organizations networks, this is a prime example, first it was using SIP UDP, now it's using H323 TCP.  Best solution is to prevent all incoming IPs from accessing the codec, and only allow specific IPs that you choose.

Btw, a search of the forums would have turned up several discussions on this, each with the same answers as above.  Below are just a few of those discussions started within the last two weeks.

nuisance-h323-calls-sx20

sourceh323idcisco-incomingcalls

unsolicited-audio-calls-war-dialing

0 Helpful
Customers Also Viewed These Support Documents