Plantronics + Polycom. Now together as Poly Logo

Getting repetitive dial-ins from a "Cisco" machine.

SOLVED
RCS-Toronto
Occasional Advisor

Getting repetitive dial-ins from a "Cisco" machine.

Greetings,

 

We seem to be encountering a problem for a few days that is not only affecting our units but our client's units.

 

We are getting multiple calls from a "Cisco" machine in this format;

 

cisco@10.10.10.10 (The ip is just an example, as it changes each time).

 

Has anyone had this experience? And if so, how did you solve it?

 

Thanks in advance

Message 1 of 8
1 ACCEPTED SOLUTION

Accepted Solutions
MikeB
Polycom Employee

Re: Getting repetitive dial-ins from a "Cisco" machine.

These aren't sip calls, they are H.323.calls. It is a toll fraud autodialer program that is searching for IP phones to make free long distance calls. When it hits an H.323 multipoint device it will try to do a dial out from that device. Every example I have seen so far has shown that the dial outs are destined to the UK (all the numbers  start with 044 or 0044).

 

If you have a codec on the public Internet you should turn off auto-answer. If you have a codec on the public Internet you shouldn't have auto-answer on anyway.

 

If you have a VBP fronting your network you can set up a Drop on WAN prefix rule that will kill those connection. If you have an RPAD you could set up an ACL where you filter out H.323 IDs that contain "cisco".

Michael K. Bromley, CVE, CCENT, WCNA, VCA-DCV
Technical Lead
Infrastructure Technical Support Center

View solution in original post

Message 8 of 8
7 REPLIES 7
fabio.rigotto
Occasional Advisor

Re: Getting repetitive dial-ins from a "Cisco" machine.

Hi there,
This happened today with us (Sao Paulo - Brazil). When I got into our videoconference room I noticed that there were more than a hundred lost calls. I checked with the technician team and told me it happened on Monday also and they included some ip's into the black list but this is happening with many differente ip's always related to Cisco (see below).

 

Has anyone a reasonable explanation to this?

 

 

 162.243.223.37

 

85.236.48.60

 

68.235.34.138

 

27.251.106.77

 

83.16.211.90

 

62.99.76.47

 

82.188.213.26

 

217.11.187.222

 

74.95.24.49

 

27.251.150.44

 

202.215.5.237

 

54.225.86.175

 

Regards,

Fabio

Fabio Rigotto
Message 2 of 8
NRAShane
Occasional Contributor

Re: Getting repetitive dial-ins from a "Cisco" machine.

It's most likely a SIP scan attack for the purpose of intended toll fraud.

Message 3 of 8
gkern
Advisor

Re: Getting repetitive dial-ins from a "Cisco" machine.

We've had the same problem. We've disabled SIP on our units and the problem still happens.  We once in a call we turn the Auto Answer settings to Do Not Distrurb. 

 

It's work around at least. 

Message 4 of 8
YashPal
Valued Contributor

Re: Getting repetitive dial-ins from a "Cisco" machine.

what VC components do you guys have in your VC infra.

 

are you guys using any Firewall traversal solution, what logic is says the dial string from which you guys geeting a call is basically support by cisco VC devices to get connect with particuular EP from internet.

 

Also please share software version of EP

 

BR

Yash Pal

BR
Yash
Message 5 of 8
gkern
Advisor

Re: Getting repetitive dial-ins from a "Cisco" machine.

We are not using any at  Firewall Tranversal my location. The calls come in at 64kpbs. 

Message 6 of 8
RCS-Toronto
Occasional Advisor

Re: Getting repetitive dial-ins from a "Cisco" machine.

Glad to see we are not the only ones. Any ideas to prevent this would be appreciated.

 

Message 7 of 8
MikeB
Polycom Employee

Re: Getting repetitive dial-ins from a "Cisco" machine.

These aren't sip calls, they are H.323.calls. It is a toll fraud autodialer program that is searching for IP phones to make free long distance calls. When it hits an H.323 multipoint device it will try to do a dial out from that device. Every example I have seen so far has shown that the dial outs are destined to the UK (all the numbers  start with 044 or 0044).

 

If you have a codec on the public Internet you should turn off auto-answer. If you have a codec on the public Internet you shouldn't have auto-answer on anyway.

 

If you have a VBP fronting your network you can set up a Drop on WAN prefix rule that will kill those connection. If you have an RPAD you could set up an ACL where you filter out H.323 IDs that contain "cisco".

Michael K. Bromley, CVE, CCENT, WCNA, VCA-DCV
Technical Lead
Infrastructure Technical Support Center

View solution in original post

Message 8 of 8