Hi, Is anybody here experience a sip fraud ? Is there any possible bug ? how to fix this problem ? just deny SIP to/from UC500 ? 008313: Apr 8 04:08:07.035: //3747/022A155F161A/SIP/Call/sipSPIMediaCallInfo: |
|||
 |
UC500.comCisco Communication Manager Express, UC520, SMB VOIP reference and community |
User loginNavigationPopular contentToday's:All time:
PollRecent comments
Who's onlineThere are currently 4 users and 21 guests online.
Online usersWho's new |
|
About dusakSyndicate Popular TagsActive forum topicsVoice News
Cisco TAC Issues - CME - UEArchive
|
Thanks for the advice, but
Thanks for the advice,
but then again it's beat the whole purpose of the box it self if I deny the 5060.
any other advice ?
SIP Fraud
You only allow 5060 for specific IP addresses or host names. Look at the other options which allows 5060 to remain open on the firewall but prevents calls with specific patterns from hairpinning back. Here is a new note posted on the website:
http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note...
SIP Fraud
Hi
have heard about sporadic "toll fraud" issues on using SIP on the trunk side. Common ways of mitigating this would be:
a. Securing the WAN interface using the IOS firewall on UC520:
This implies allowing only known SIP or H.323 traffic to come in on the WAN interface – all other SIP or H.323 traffic will be blocked. This also requires that the administrator knows the IP addresses that the SIP VOIP SP uses for signaling on the SIP Trunk. Note that the below lines would need to be added in addition to any ACL entries already present on the WAN interface.
interface serial 0/0
ip access-group 100 in
!
access-list 100 permit udp host 1.1.1.254 eq 5060 any <1.1.1.254 is SP SIP proxy>
access-list 100 permit udp host 1.1.1.254 any eq 5060
access-list 100 permit udp any any range 16384 32767
b. Ensuring calls coming in on the SIP trunk do hairpin back out:
This implies that the configuration will only allow SIP – SIP hairpin of calls to a specific known PSTN number range, all other calls will be blocked. The administrator should configure specific inbound dial-peers for the PSTN numbers coming in on the SIP trunk that are mapped to extensions or auto attendant(s) or voicemail on UC520. All other calls to numbers that are not part of the UC520 PSTN number range will be blocked. Note, this will not affect call forwards / transfers to voicemail (CUE) and call forward all to PSTN numbers from IP phones as the initial call is still targeted towards an extension on UC520.
dial-peer voice 1000 voip
description ** Incoming call to 4085551000 from SIP trunk **
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
incoming called-number 4085551000
dtmf-relay rtp-nte
no vad
!
dial-peer voice 1001 voip
permission term < Prevent hairpinning calls back over SIP Trunk
description ** Incoming call from SIP trunk **
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
incoming called-number .T <
Not really, unless you've
Not really, unless you've SIP phones registering off the WAN port.
Most UC/CME installations use SCCP, and do not have an internet exposed interface
Hi, toll fraud via exposed
Hi, toll fraud via exposed SIP GWs is very frequent nowadays.
You've been lucky that apparently the calls were made to the US and not to Cuba that being one of the most expensive destinations, is the one most sought by "callers".
As you noted the correct prevention for that is a simple ACL denying dp/tcp to port 5060.