cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6698
Views
5
Helpful
11
Replies
Vinod Gupta
Beginner

Unwanted Automatic Call hitting on my Expressway E

Dear All,

Unwanted automatic call hitting on my Expressway E. start from 100@1.1.1.1. 

how i can avoid or block this so that such call will stop hiting on my EXP_E.

Also suggest me if i want to block temporary external public incoming VC call  and how can i do this ?

Thanking you.

1 ACCEPTED SOLUTION

Accepted Solutions
Jens Didriksen
Engager

This is a very well known issue which has been raised here on numerous occasions over the last few years; take a look at some of the threads linked to in this thread: https://supportforums.cisco.com/discussion/12484441/hack-attack-vcs-express and this might be of interest:.

https://supportforums.cisco.com/discussion/12917996/sip-spam-call-attack-and-mcu-and-vcs-.e and

https://supportforums.cisco.com/discussion/12472426/rogue-calls-expressway-e-can-they-be-blockeddropped

In short, you can block these types of calls by a combination of CPL and search rules, the relevant section in the admin guide is referenced in some of the threads.

You won't be able to stop these calls hitting your E, but at least you can prevent these calls from succeeding, yes, they will show up in the call log, but that's it.

If you want to block all incoming external calls, then you would need to put it behind a firewall and not allow anything from external.

By the way, for SIP calls you can prevent a lot of these calls by disabling SIP UDP, however, preventing H.323 calls ain't that simple.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

View solution in original post

11 REPLIES 11
Jens Didriksen
Engager

This is a very well known issue which has been raised here on numerous occasions over the last few years; take a look at some of the threads linked to in this thread: https://supportforums.cisco.com/discussion/12484441/hack-attack-vcs-express and this might be of interest:.

https://supportforums.cisco.com/discussion/12917996/sip-spam-call-attack-and-mcu-and-vcs-.e and

https://supportforums.cisco.com/discussion/12472426/rogue-calls-expressway-e-can-they-be-blockeddropped

In short, you can block these types of calls by a combination of CPL and search rules, the relevant section in the admin guide is referenced in some of the threads.

You won't be able to stop these calls hitting your E, but at least you can prevent these calls from succeeding, yes, they will show up in the call log, but that's it.

If you want to block all incoming external calls, then you would need to put it behind a firewall and not allow anything from external.

By the way, for SIP calls you can prevent a lot of these calls by disabling SIP UDP, however, preventing H.323 calls ain't that simple.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

View solution in original post

Hi Jens,

If I make my SIP UDP port off from Config-Protocol-Sip- UDP mode off then what will affected becoz of this changes, as my setup is live and i dont wanna take any risk.

kindly guide me whether this will affect any incoming call or any outgoing call or both ?

SIP UDP is disabled by default by Cisco, and should only be turned on if you need to support voice services on the Expressway, it is not required for video.

(See the admin guide).

An upside to having SIP UDP turned off is that outbound calls will connect quicker - only "downside" I have found is that I'm not able to call hostnames, ie. fishtank.lifesize.com - but that's an address type we never use anyway. :)

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

Hi jens,

now i am getting such type of callls on my EXP_E..can you suggest how i stop such calls.

also let me know steps as i am not complete familiar with EXP_E.

Thanks

Turning off SIP udp will stop those particular calls, however, you won't be able to stop the H.323 calls, you can only ensure they don't succeed.

They will still show up in your call history though, just like the ones in your screenshot. (None of those calls shown in your screenshot have succeeded by the way.)

Suggest you implement CPL to ensure these types of calls won't succeed, see the admin guide http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-7.pdf

page 242 onwards for CPL information and examples.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

H jens,

I created some call policy to block such type of call.. source -destination-reject..

i have 1 question ...

in our premises aur dialing pattern for External call is extension@EXP_E ip. our extension is of 6 digit only ...so anything comes more than 6 digit then how should i block ???

EX. 3000000@EXP_P IP  ....here extension is having 7 digit so this must be block....

if 300000@EXP_IP ip then this must be allow..... so on....

.*@EXP_IP  indicates any digit with exp_E_ip.....  so i want to block more then 6 digit then how i can ??????

Even though you specified an "Unauthenticated User", the built in web interface for the CPL rules are based on authenticated requests.  If you look at the generated CPL script, it uses "origin" as the source, it should read "unauthenticated-origin".  You'll need to look in the search history of the calls to see if they appear as authenticated or unauthenticated.  If unauthenticated, you'll need to create a custom CPL script yourself to block these calls.  You can use the VCS Locate tool under Maintenance > Tools to check if a CPL is working as intended.

Just to confirm, did you disable SIP UDP, as that will prevent most of these calls without the need of a CPL script.

We can help with creating a CPL script, just need to know some of the source/destination address and if the calls are authenticated or not.

As Jens suggests, you should disable SIP UDP, as it's not recommended for video and even disabled by Cisco by default.  This will prevent most of these unwanted calls, however as mentioned this will not stop all attempts.  You can use CPL to prevent the remaining calls from consuming call licenses, there are some example CPL scripts in the forums depending on the how the incoming call is formatted.

Hi Vinod,

Please follow the below steps:

1) Download the attached file and change the extension to .xml.

2) Goto EXP-E Configuration >> Call Policy >> Policy files and upload the attached CPL file into it. 

3) Enable the call policy mode to Local CPL.

Hope this works!!

BR,

Nikhil

Dear Nikhil,

I think u blocked everything :D

Kindly check ur Destination Field...dont make any( .* )

Regards,

Vinod Gupta

Nikhil didn't block everything, the rules are based on source and destination, so the calls must match both fields in order to take affect.  So because he used .* as the destination which does mean anything, that rule won't work unless the source address is matched as well.

Create
Recognize Your Peers
Content for Community-Ad