03-04-2013 05:49 AM - edited 03-21-2019 07:02 AM
We had some weird issues with one of our UC320's over the weekend... I won't get into the details of that, but I noticed something while working on it -- there was a bunch of attempted toll-fraud showing in the SIP logs. None of it was completing, but I am curious why it is even there; it was my understanding that the UC320 automatically blocked all SIP except for your providers IP via its firewall. Is that not the case? Has anyone else seen this?
Thanks.
03-04-2013 07:52 AM
Hi Daniel,
What PMFs are installed on the system? (Status -> Device -> Alter PMFs) We did release a PMF that disables the restrict SIP source IP address capability as it was required by some customers.
Chris
03-04-2013 08:27 AM
The only PMF we have is "Offer Release Candidates".
Is attempted fraud traffic in the SIP logs unexpected behavior?
It is not clear if fraud is restricted at the firewall level or at the SIP level.
(Meaning -- is the traffic outright blocked, or does the SIP server just reject calls from incorrect IPs)
03-04-2013 08:43 AM
Hi Daniel,
The SIP messaging is restricted to only being accepted from the proxy(s) IP/FQDN in the SIP trunk pages. SIP messaging traffic from other source IPs is logged and discarded.
It is logged because in some SIP providers they may actually originate SIP traffic to the UC320 from different IPs. You will also see probing from the Internet on SIP ports to see if there is an exposure to exploit. I see this on my home system all the time.
Chris
03-04-2013 09:30 AM
Thanks Chris, that makes sense.
It was the first time we have seen such traffic, so I wanted to check.
Its odd, I don't know about anyone else, but we have seen a HUGE increase in attempted fraud traffic in the last few weeks.
04-02-2013 06:15 AM
So is there a PMF that deals with toll fraud that I should add or is the UC320 safe?
Sent from Cisco Technical Support iPhone App
04-02-2013 06:55 AM
Hi Jack,
No, you don't need to install a PMF. There are no services in the UC320W that allow the capabilitiy of hairpinning calls to dialed (non-programmed) addresses. The built in capability described above means that we only accept SIP traffic from your configured SIP Provider's proxy IP address(es). All other rogue inbound SIP traffic is quietly discarded.
Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: