Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8178
Views
0
Helpful
6
Replies

sip spam call attack and MCU and vcs-e

Go to solution
baselzind
Level 6
Level 6

‎02-18-2016 12:52 AM - edited ‎03-18-2019 05:35 AM

as far as i know sip call spam attacks is done against video conference units connected with a public ip address , i have disabled sip but im not sure if my mcu and vcs-e with public address are vulnerable to them? do they pose any security threats to them? and if so , how? and what can be done about it?

2 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jens Didriksen
Level 9
Level 9

‎02-18-2016 01:35 AM

This is a well known issue, and it affects H.323 as well as SIP, take a look at the below threads:

https://supportforums.cisco.com/discussion/12340591/nuisance-h323-calls-sx20

https://supportforums.cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls

https://supportforums.cisco.com/discussion/12508641/cisco-source-spam-calls-stepped-complexity

https://supportforums.cisco.com/discussion/12613681/attack-vcse

There are a lot more threads dealing with this issue, the above is just a small selection. :)

You don't need to disable SIP on the VCS-E, all you need to do is turn of SIP UDP unless you require it for voice services.

You can protect yourself by using a CPL on the VCS-E which will prevent the calls from going through to your MCU, or anything else you have sitting behind the VCS-E. This is assuming you are using a VCS-C/VCS-E combo, with the VCS-C behind a firewall and the VCS-E outside the firewall, e.g. in DMZ.

Having endpoints and/or MCU sitting in the wild with public IP addresses are just asking for trouble.

These scans, by the way, are mainly looking for systems which will allow them to make free international phone calls.

/jens

Please rate replies and makr question(s) as "answered" if applicable,

Please rate replies and mark question(s) as "answered" if applicable.

View solution in original post

0 Helpful

Go to solution
saif musa
Level 4
Level 4

‎02-18-2016 01:37 AM

hi,

chick below link, it may helps..

https://supportforums.cisco.com/discussion/11760521/handling-unwanted-sip-call-attempts-vcs-es

Regards

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jens Didriksen
Level 9
Level 9

‎02-18-2016 01:35 AM

This is a well known issue, and it affects H.323 as well as SIP, take a look at the below threads:

https://supportforums.cisco.com/discussion/12340591/nuisance-h323-calls-sx20

https://supportforums.cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls

https://supportforums.cisco.com/discussion/12508641/cisco-source-spam-calls-stepped-complexity

https://supportforums.cisco.com/discussion/12613681/attack-vcse

There are a lot more threads dealing with this issue, the above is just a small selection. :)

You don't need to disable SIP on the VCS-E, all you need to do is turn of SIP UDP unless you require it for voice services.

You can protect yourself by using a CPL on the VCS-E which will prevent the calls from going through to your MCU, or anything else you have sitting behind the VCS-E. This is assuming you are using a VCS-C/VCS-E combo, with the VCS-C behind a firewall and the VCS-E outside the firewall, e.g. in DMZ.

Having endpoints and/or MCU sitting in the wild with public IP addresses are just asking for trouble.

These scans, by the way, are mainly looking for systems which will allow them to make free international phone calls.

/jens

Please rate replies and makr question(s) as "answered" if applicable,

Please rate replies and mark question(s) as "answered" if applicable.
0 Helpful

Go to solution
baselzind
Level 6
Level 6
In response to Jens Didriksen

‎02-18-2016 01:43 AM

what sort of services are used by Port 5060 UDP ? will it affect CISCO jabber?

0 Helpful

Go to solution
Jens Didriksen
Level 9
Level 9
In response to baselzind

‎02-18-2016 02:12 AM

Non-encrypted call signalling, SIP UDP is now turned off by default in the VCS-E and Cisco recommends it stay that way unless you have voice services running on it, as call signalling on 5060 also uses TCP.

It will not affect neither Jabber (requires CUCM) nor JabberVideo, which requires VCS (not CUCM).

/jens

Please rate replies and makr question(s) as "answered" if applicable,

Please rate replies and mark question(s) as "answered" if applicable.
0 Helpful

Go to solution
baselzind
Level 6
Level 6
In response to Jens Didriksen

‎02-18-2016 03:57 AM

is the sip call spamming restricted to only port udp 5060? why is that? 

0 Helpful

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni
In response to baselzind

‎02-18-2016 06:57 AM

UDP 5060 is a port used by SIP devices to register to a VCS for example. The scanner looks for this open port and if it finds one, it knows there may be a chance of reaching a device on/or through that IP to make calls, ie: toll fraud. 

0 Helpful

Go to solution
saif musa
Level 4
Level 4

‎02-18-2016 01:37 AM

hi,

chick below link, it may helps..

https://supportforums.cisco.com/discussion/11760521/handling-unwanted-sip-call-attempts-vcs-es

Regards

0 Helpful
Customers Also Viewed These Support Documents