Thursday, April 16, 2015

Cisco CME: SIP Toll Fraud Prevention Through ACL

I had a customer that called and complained that they could not make or receive calls on their UC500.  They only have two analog lines coming in, 0/1/1 and 0/1/2, both being used.
UC520#   show voice call sum
PORT           CODEC     VAD VTSP STATE            VPM STATE
============== ========= === ==================== ======================
0/0/0         -          -  -                     FXSLS_ONHOOK
0/0/1         -          -  -                     FXSLS_ONHOOK
0/0/2         -          -  -                     FXSLS_ONHOOK
0/0/3         -          -  -                     FXSLS_ONHOOK
0/1/0         -          -  -                     FXOLS_ONHOOK
0/1/1         g711ulaw   y  S_CONNECT             FXOLS_OFFHOOK
0/1/2         g711ulaw   y  S_CONNECT             FXOLS_OFFHOOK
0/1/3         -          -  -                     FXOLS_ONHOOK
0/4/0         g711ulaw   n  S_CONNECT             EM_CONNECT

So as I walked through the small office, no one was on the phone.  Odd.
So I looked further and found this:
UC520#   show voice call 0/1/1
0/1/1
      vtsp level 0 state = S_CONNECTvpm level 1 state = FXOLS_OFFHOOK
vpm level 0 state = S_UP
calling number 2568357643, calling name Ed Andy A , calling time 04/07 15:36
UC520#   show voice call 0/1/2
0/1/2
      vtsp level 0 state = S_CONNECTvpm level 1 state = FXOLS_OFFHOOK
vpm level 0 state = S_UP

Well, someone was on the phone, for sure.  Then I came across this:
019290: Apr  7 15:24:33.608: %VOICE_IEC-3-GW: CCAPI: Internal Error (Trunk-group select fail): IEC=1.1.182.1.23.53 on callID 19723 GUID=EFE82995DC9A11E4B7F8E6497FD6A81C
019291: Apr  7 15:24:33.876: %VOICE_IEC-3-GW: CCAPI: Internal Error (Trunk-group select fail): IEC=1.1.182.1.23.53 on callID 19724 GUID=F0110E00DC9A11E4B7FDE6497FD6A81C
019292: Apr  7 15:24:35.752: %VOICE_IEC-3-GW: CCAPI: Internal Error (Trunk-group select fail): IEC=1.1.182.1.23.53 on callID 19725 GUID=F12EB306DC9A11E4B802E6497FD6A81C
019293: Apr  7 15:24:36.020: %VOICE_IEC-3-GW: CCAPI: Internal Error (Trunk-group select fail): IEC=1.1.182.1.23.53 on callID 19726 

So someone is using the phones, and no one in the office is on the phone.  It looks like someone from the outside is doing this.  So I put this ACL in place, as a temporary measure to see what would happen:
UC520(config-if)#access ex 101
UC520(config-ext-nacl)#2 deny udp any an eq 5060
UC520(config-ext-nacl)#3 deny udp any an eq 1720
UC520(config-ext-nacl)#3 deny tcp any an eq 1720
UC520(config-ext-nacl)#4 deny tcp any an eq 5060

Once I got this in place, all the calls dropped and the toll fraud was stopped.  Im going to make a better solution, but this stopped it for now.  
Posted by

1 comment:

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)