We had some weird issues with one of our UC320's over the weekend... I won't get into the details of that, but I noticed something while working on it -- there was a bunch of attempted toll-fraud showing in the SIP logs. None of it was completing, but I am curious why it is even there; it was my understanding that the UC320 automatically blocked all SIP except for your providers IP via its firewall. Is that not the case? Has anyone else seen this?
What PMFs are installed on the system? (Status -> Device -> Alter PMFs) We did release a PMF that disables the restrict SIP source IP address capability as it was required by some customers.
The only PMF we have is "Offer Release Candidates".
Is attempted fraud traffic in the SIP logs unexpected behavior?
It is not clear if fraud is restricted at the firewall level or at the SIP level.
(Meaning -- is the traffic outright blocked, or does the SIP server just reject calls from incorrect IPs)
The SIP messaging is restricted to only being accepted from the proxy(s) IP/FQDN in the SIP trunk pages. SIP messaging traffic from other source IPs is logged and discarded.
It is logged because in some SIP providers they may actually originate SIP traffic to the UC320 from different IPs. You will also see probing from the Internet on SIP ports to see if there is an exposure to exploit. I see this on my home system all the time.
Thanks Chris, that makes sense.
It was the first time we have seen such traffic, so I wanted to check.
Its odd, I don't know about anyone else, but we have seen a HUGE increase in attempted fraud traffic in the last few weeks.
No, you don't need to install a PMF. There are no services in the UC320W that allow the capabilitiy of hairpinning calls to dialed (non-programmed) addresses. The built in capability described above means that we only accept SIP traffic from your configured SIP Provider's proxy IP address(es). All other rogue inbound SIP traffic is quietly discarded.