• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
HP Recommended

I have a situation where a customer is being plagued by rogue calls from someone on the Internet trying to use their system to route phone calls.   They have a VBP partnered with a DMA.

 

The hackers are trying all combinations of prefixes to try to get through.  They are also clever; they are using random IP addresses so a blacklist won't help.  The calls aren't going through but they are causing inconvienience in the VC network.

 

The  numbers can be identified by being like telephone numbers and the ones causing the biggest problem are prefixed by "9" which is a valid prefix in the organisation's dial plan.  Valid numbers that are prefixed with "9" are only 5-6 caharaters long the invalid are more like 10 characters.

 

Is there a dial rule that could be used to kill these calls in the DMA or better still in the VBP

6 REPLIES 6
HP Recommended

Ray,

 

What we will do is limit what internal destinations the VBP-E will process by creating a digit-match (regex is supported in the field) that is used to cause the box to drop the incoming call; this is a very easy to use method for limiting inbound destinations! We know we should block calls that begin with a 9 (simplified dialing), so adding another Drop on WAN for 0, or any number that we do not want to be dialed, would be the first step in this Spy-vs.-Spy game. You really can’t keep them from trying, you can only try to keep them from succeeding.

 

See the image for more information.

 

S.

HP Recommended

Simons,  thanks for that.  The problem is the customer is using "9" as a valid prefix. (bad idea I know, but there it is.)  The only way to identify the rogue calls is the length.  Valid calls have only 5-6 characters.  The rogue calls are more like 10 -12 characters.  Is there a way to set up a dial rule script or mask to check the length of the number dialled?

HP Recommended

Hello.

 

 

Has anybody tried to use the iptables rules for add a malefactor's Ips to a blacklist?

 

I mean add something like that to the iptables rules on VBP

iptables -A INPUT -p tcp --dport 1720 -m recent --name h323 --set 
iptables -A INPUT -p tcp --dport 1720 -m recent --name h323 --rcheck --seconds 20 --hitcount 40 -j DROP

 

 

Regards

 

 

 

HP Recommended

Bazzuck,

 

In this case that won't work.  They are using random IP addresses.  The calls never originate from the same IP address twice.

HP Recommended

Ray,

 

On the VBP - not that I know of. But you could do this very easily on the DMA in the script. Here is a sample script you could use. First create a VBP site in your site topology so we can just reference this site for the script.

 

if (CALLER_SITE_NAME == "VBP" && DIAL_STRING.length >= 10)


{

  
   println("This is a suspicious rogue call and was rejected. DIAL_STRING: " + DIAL_STRING);

  
   return NEXT_RULE;


}

HP Recommended

If you haven't already, upgrade your VBP to version 11.2.20. These rogue calls use a feature called fast start where the OLC information is included in the call setup message. 11.2.20 now includes the ability to detect fast start calls and immediately drop them. You will see a message in the activity log that will say "fast start not supported".

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.