08-22-2010 11:44 PM - edited 03-21-2019 02:54 AM
Customer has a PRI with 12 channels. When originally setup, ISP said they would be sending four digits. Could not get it to work. Called Cisco Small business support and noticed that they were actually sending 8 digits. Ex phone number is 888-8888. ISP is sending 10108888.
We modified config to get it to work. However, after one month customer received a bill for $2000 for calls to Cuba.Obviously toll fraud.
ISP accused UC540 of not being secure.
My question is this:
Can there Cisco device that is handing off PRI be the weak link in toll fraud since they are sending 1010xxxx?
I will post config if needed, but wanted to see if they could be to blame?
Thanks
08-23-2010 03:59 AM
More likely you have been exploited via SIP, if your UC is on the Internet without protection.
.
That is primarily installer fault, because cisco has at least a bulletin in place that highlight the issue and give steps to prevent it.
http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note09186a00809dc487.shtml
08-23-2010 07:17 AM
Securing a gateway from untrusted call sources is no different from securing a router from untrusted traffic. Your router is likely allowing SIP or H323 traffic in an interface with a public interface, and it shouldn't be. Keep in mind that if you have CUE, you are running a SIP listener on the box, and SIP will listen on all interfaces unless you configure a bind. H323 will always listen on all interfaces, regardless of bind. You should always only allow TCP/1720 and TCP/UDP/5060 from known trusted sources on any WAN interface with a public IP.
Also, this behavior is improved starting with 15.1(2)T to prevent toll fraud scenarios out-of-the-box:
https://supportforums.cisco.com/docs/DOC-12228
-Steve
08-23-2010 01:34 PM
Keep in mind that if you have CUE, you are running a SIP listener on the box.
Nitpick: even if you don't have CUE.
08-23-2010 01:42 PM
Right. Anytime you have a SIP dial-peer, SIP listener is enabled. Anytime you have an h323 dial-peer H323 listener is enabled. Exceptions to this are that the listeners are both on by default for all code with a voice feature set, when running a release before this fix:
CSCsb25337
unnecessary tcp ports opened in default router config
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide