First and foremost, this is not an exhaustive list on how to prevent toll fraud. I have posted before things to do in the Cisco CME/Gateways on this topic. Im certainly not an expert at this, although Im trying to make strides to learn more on this topic. If you are an expert at toll fraud, or know more that what I have posted, I certainly would like to have at least an email conversation with you (to learn some things from you). So, if you do know a lot about toll fraud and I have missed something, or if your experience is such that you think my posts are spot on, I would like to know your thoughts. Anyway, see here below for more info on this post:
Ok, on for this post. This really gets to me. Look at the message below from one of the UC500s I put in:
Sep 9 21:12:25.938: %SEC-6-IPACCESSLOGP: list 101 denied udp 220.127.116.11(5166) -> 18.104.22.168(5060), 1 packet
Sep 9 21:15:02.718: %SEC-6-IPACCESSLOGP: list 101 denied udp 22.214.171.124(5060) -> 126.96.36.199(5060), 1 packet
This looks like someone is trying to get in on my Cisco UC500 (a customer of mine). This is really aggravating to me. I DO NOT like toll fraud, at all. And I think this is one attempt that someone has made to do just that. That is why you need to block SIP traffic coming into the phone system.
access-list 101 deny udp any any range 5060 5061 log
access-list 101 deny tcp any any range 5060 5061 log
The ACL above applied to the outside interface should block that kind of traffic. If you dont do SIP, just block it. No need to open yourself up to the outside and this kind of attack. This company has a PRI, so you might as well close off H.323 as well.
access-list 101 deny tcp any any range 1720 1721 log
Post a Comment
Your comment will be reviewed for approval. Thank you for submitting your comments.