Solved: Getting repetitive dial-ins from a "Cisco" machine. - HP Support Community

Anonymous · ‎10-29-2014

Greetings,

We seem to be encountering a problem for a few days that is not only affecting our units but our client's units.

We are getting multiple calls from a "Cisco" machine in this format;

cisco@10.10.10.10 (The ip is just an example, as it changes each time).

Has anyone had this experience? And if so, how did you solve it?

Thanks in advance

MikeB39 · ‎10-31-2014

These aren't sip calls, they are H.323.calls. It is a toll fraud autodialer program that is searching for IP phones to make free long distance calls. When it hits an H.323 multipoint device it will try to do a dial out from that device. Every example I have seen so far has shown that the dial outs are destined to the UK (all the numbers start with 044 or 0044).

If you have a codec on the public Internet you should turn off auto-answer. If you have a codec on the public Internet you shouldn't have auto-answer on anyway.

If you have a VBP fronting your network you can set up a Drop on WAN prefix rule that will kill those connection. If you have an RPAD you could set up an ACL where you filter out H.323 IDs that contain "cisco".

View solution in original post

Anonymous · ‎10-29-2014

Hi there,
This happened today with us (Sao Paulo - Brazil). When I got into our videoconference room I noticed that there were more than a hundred lost calls. I checked with the technician team and told me it happened on Monday also and they included some ip's into the black list but this is happening with many differente ip's always related to Cisco (see below).

Has anyone a reasonable explanation to this?

162.243.223.37

85.236.48.60

68.235.34.138

27.251.106.77

83.16.211.90

62.99.76.47

82.188.213.26

217.11.187.222

74.95.24.49

27.251.150.44

202.215.5.237

54.225.86.175

Regards,

Fabio

Anonymous · ‎10-29-2014

It's most likely a SIP scan attack for the purpose of intended toll fraud.

Anonymous · ‎10-30-2014

We've had the same problem. We've disabled SIP on our units and the problem still happens. We once in a call we turn the Auto Answer settings to Do Not Distrurb.

It's work around at least.

Anonymous · ‎10-31-2014

what VC components do you guys have in your VC infra.

are you guys using any Firewall traversal solution, what logic is says the dial string from which you guys geeting a call is basically support by cisco VC devices to get connect with particuular EP from internet.

Also please share software version of EP

BR

Yash Pal

Anonymous · ‎10-31-2014

We are not using any at Firewall Tranversal my location. The calls come in at 64kpbs.

Anonymous · ‎10-31-2014

Glad to see we are not the only ones. Any ideas to prevent this would be appreciated.

MikeB39 · ‎10-31-2014

These aren't sip calls, they are H.323.calls. It is a toll fraud autodialer program that is searching for IP phones to make free long distance calls. When it hits an H.323 multipoint device it will try to do a dial out from that device. Every example I have seen so far has shown that the dial outs are destined to the UK (all the numbers start with 044 or 0044).

If you have a codec on the public Internet you should turn off auto-answer. If you have a codec on the public Internet you shouldn't have auto-answer on anyway.

If you have a VBP fronting your network you can set up a Drop on WAN prefix rule that will kill those connection. If you have an RPAD you could set up an ACL where you filter out H.323 IDs that contain "cisco".

Getting repetitive dial-ins from a "Cisco" machine.

Create an account on the HP Community to personalize your profile and ask a question