Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
872
Views
0
Helpful
6
Replies

SIP - Firewall/ACLs

danplacek
Level 4
Level 4

‎03-04-2013 05:49 AM - edited ‎03-21-2019 07:02 AM

We had some weird issues with one of our UC320's over the weekend... I won't get into the details of that, but I noticed something while working on it -- there was a bunch of attempted toll-fraud showing in the SIP logs. None of it was completing, but I am curious why it is even there; it was my understanding that the UC320 automatically blocked all SIP except for your providers IP via its firewall. Is that not the case? Has anyone else seen this?

Thanks.

Labels:
0 Helpful
6 Replies 6

Christopher Edgeworth
Level 6
Level 6

‎03-04-2013 07:52 AM

Hi Daniel,

What PMFs are installed on the system?  (Status -> Device -> Alter PMFs)  We did release a PMF that disables the restrict SIP source IP address capability as it was required by some customers.

Chris

0 Helpful

danplacek
Level 4
Level 4
In response to Christopher Edgeworth

‎03-04-2013 08:27 AM

The only PMF we have is "Offer Release Candidates".

Is attempted fraud traffic in the SIP logs unexpected behavior?

It is not clear if fraud is restricted at the firewall level or at the SIP level.

(Meaning -- is the traffic outright blocked, or does the SIP server just reject calls from incorrect IPs)

0 Helpful

Christopher Edgeworth
Level 6
Level 6
In response to danplacek

‎03-04-2013 08:43 AM

Hi Daniel,

The SIP messaging is restricted to only being accepted from the proxy(s) IP/FQDN in the SIP trunk pages.  SIP messaging traffic from other source IPs is logged and discarded.

It is logged because in some SIP providers they may actually originate SIP traffic to the UC320 from different IPs.  You will also see probing from the Internet on SIP ports to see if there is an exposure to exploit.  I see this on my home system all the time.

Chris

0 Helpful

danplacek
Level 4
Level 4
In response to Christopher Edgeworth

‎03-04-2013 09:30 AM

Thanks Chris, that makes sense.

It was the first time we have seen such traffic, so I wanted to check.

Its odd, I don't know about anyone else, but we have seen a HUGE increase in attempted fraud traffic in the last few weeks.

0 Helpful

Jack Germanos
Level 1
Level 1

‎04-02-2013 06:15 AM

So is there a PMF that deals with toll fraud that I should add or is the UC320 safe?

Sent from Cisco Technical Support iPhone App

0 Helpful

Christopher Edgeworth
Level 6
Level 6
In response to Jack Germanos

‎04-02-2013 06:55 AM

Hi Jack,

No, you don't need to install a PMF.  There are no services in the UC320W that allow the capabilitiy of hairpinning calls to dialed (non-programmed) addresses.  The built in capability described above means that we only accept SIP traffic from your configured SIP Provider's proxy IP address(es).  All other rogue inbound SIP traffic is quietly discarded.

Chris

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents