I have a situation where a customer is being plagued by rogue calls from someone on the Internet trying to use their system to route phone calls. They have a VBP partnered with a DMA.
The hackers are trying all combinations of prefixes to try to get through. They are also clever; they are using random IP addresses so a blacklist won't help. The calls aren't going through but they are causing inconvienience in the VC network.
The numbers can be identified by being like telephone numbers and the ones causing the biggest problem are prefixed by "9" which is a valid prefix in the organisation's dial plan. Valid numbers that are prefixed with "9" are only 5-6 caharaters long the invalid are more like 10 characters.
Is there a dial rule that could be used to kill these calls in the DMA or better still in the VBP
What we will do is limit what internal destinations the VBP-E will process by creating a digit-match (regex is supported in the field) that is used to cause the box to drop the incoming call; this is a very easy to use method for limiting inbound destinations! We know we should block calls that begin with a 9 (simplified dialing), so adding another Drop on WAN for 0, or any number that we do not want to be dialed, would be the first step in this Spy-vs.-Spy game. You really can’t keep them from trying, you can only try to keep them from succeeding.
See the image for more information.
Simons, thanks for that. The problem is the customer is using "9" as a valid prefix. (bad idea I know, but there it is.) The only way to identify the rogue calls is the length. Valid calls have only 5-6 characters. The rogue calls are more like 10 -12 characters. Is there a way to set up a dial rule script or mask to check the length of the number dialled?
Has anybody tried to use the iptables rules for add a malefactor's Ips to a blacklist?
I mean add something like that to the iptables rules on VBP
iptables -A INPUT -p tcp --dport 1720 -m recent --name h323 --set iptables -A INPUT -p tcp --dport 1720 -m recent --name h323 --rcheck --seconds 20 --hitcount 40 -j DROP
In this case that won't work. They are using random IP addresses. The calls never originate from the same IP address twice.
On the VBP - not that I know of. But you could do this very easily on the DMA in the script. Here is a sample script you could use. First create a VBP site in your site topology so we can just reference this site for the script.
if (CALLER_SITE_NAME == "VBP" && DIAL_STRING.length >= 10)
println("This is a suspicious rogue call and was rejected. DIAL_STRING: " + DIAL_STRING);
If you haven't already, upgrade your VBP to version 11.2.20. These rogue calls use a feature called fast start where the OLC information is included in the call setup message. 11.2.20 now includes the ability to detect fast start calls and immediately drop them. You will see a message in the activity log that will say "fast start not supported".