• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
HP Recommended

Greetings,

 

We seem to be encountering a problem for a few days that is not only affecting our units but our client's units.

 

We are getting multiple calls from a "Cisco" machine in this format;

 

cisco@10.10.10.10 (The ip is just an example, as it changes each time).

 

Has anyone had this experience? And if so, how did you solve it?

 

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
HP Recommended

These aren't sip calls, they are H.323.calls. It is a toll fraud autodialer program that is searching for IP phones to make free long distance calls. When it hits an H.323 multipoint device it will try to do a dial out from that device. Every example I have seen so far has shown that the dial outs are destined to the UK (all the numbers  start with 044 or 0044).

 

If you have a codec on the public Internet you should turn off auto-answer. If you have a codec on the public Internet you shouldn't have auto-answer on anyway.

 

If you have a VBP fronting your network you can set up a Drop on WAN prefix rule that will kill those connection. If you have an RPAD you could set up an ACL where you filter out H.323 IDs that contain "cisco".

View solution in original post

7 REPLIES 7
HP Recommended

Hi there,
This happened today with us (Sao Paulo - Brazil). When I got into our videoconference room I noticed that there were more than a hundred lost calls. I checked with the technician team and told me it happened on Monday also and they included some ip's into the black list but this is happening with many differente ip's always related to Cisco (see below).

 

Has anyone a reasonable explanation to this?

 

 

 162.243.223.37

 

85.236.48.60

 

68.235.34.138

 

27.251.106.77

 

83.16.211.90

 

62.99.76.47

 

82.188.213.26

 

217.11.187.222

 

74.95.24.49

 

27.251.150.44

 

202.215.5.237

 

54.225.86.175

 

Regards,

Fabio

HP Recommended

It's most likely a SIP scan attack for the purpose of intended toll fraud.

HP Recommended

We've had the same problem. We've disabled SIP on our units and the problem still happens.  We once in a call we turn the Auto Answer settings to Do Not Distrurb. 

 

It's work around at least. 

HP Recommended

what VC components do you guys have in your VC infra.

 

are you guys using any Firewall traversal solution, what logic is says the dial string from which you guys geeting a call is basically support by cisco VC devices to get connect with particuular EP from internet.

 

Also please share software version of EP

 

BR

Yash Pal

HP Recommended

We are not using any at  Firewall Tranversal my location. The calls come in at 64kpbs. 

HP Recommended

Glad to see we are not the only ones. Any ideas to prevent this would be appreciated.

 

HP Recommended

These aren't sip calls, they are H.323.calls. It is a toll fraud autodialer program that is searching for IP phones to make free long distance calls. When it hits an H.323 multipoint device it will try to do a dial out from that device. Every example I have seen so far has shown that the dial outs are destined to the UK (all the numbers  start with 044 or 0044).

 

If you have a codec on the public Internet you should turn off auto-answer. If you have a codec on the public Internet you shouldn't have auto-answer on anyway.

 

If you have a VBP fronting your network you can set up a Drop on WAN prefix rule that will kill those connection. If you have an RPAD you could set up an ACL where you filter out H.323 IDs that contain "cisco".

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.