From: Nick Matthews (matthn@gmail.com)
Date: Sat Aug 16 2008 - 14:03:16 ART
There are a few things you should know about both your CCM and your gateway
in terms of toll-fraud:
Your gateway if it is running H323:
Will listen and process H225 Setups from any interface received, whether or
not you have a bind command configured or not. Meaning, if you have a
public IP address, and a voip dial peer configured, somebody can send an
H225 setup over the internet with a number like '011<russiannumber> or
9011<cuban number>' and it's possible for your gateway's dial peer to then
match the outgoing pots (PRI) dial peer.
If your gateway is running SIP:
It will listen and process SIP INVITES from every interface. If you have a
SIP bind command, it will only listen on those interfaces. This is much
more common toll fraud, as SIP is much more easily crafted by hand for
hackers than H225 SETUPs. This was changed in most of 12.4 mainline and T
code with this advisory / bug
http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml#@ID ,
CSCsb25337. After the releases in this bug, you will not experience this
unless you have SIP configured. ( In your case you are still vulnerable to
this because you have 'allow h323-sip', which doesn't appear to be doing
anything because you don't have any SIP dial peers. ) Your config doesn't
have the IOS version, but I see it's 12.3, so you're affected by this.
For your CCM:
You will want to check the transferring/forwarding Calling Search Space to
not allow for your Autoattendant / Voicemail to transfer to international
(or long distance if you so choose) numbers.
Things you can do to prevent toll fraud:
1) Block TCP 1720 incoming connections on your public IP addresses on all
gateways
2) Block TCP/UDP 5060 incoming connections on all your public IP addresses
on gateways (unless you're doing calls over the internet, which you will
want to look into what Frog has suggested with dial peers and translation
patterns)
3) Check your CSS on CCM to see if it allows transferred calls from the
autoattendant/voicemail to go international.
HTH,
Nick
On Thu, Aug 14, 2008 at 8:13 PM, Radioactive Frog <pbhatkoti@gmail.com>wrote:
> Hi there,
> It seems this is the real live case of 'Toll Fraud". The config you've sent
> is H323 gateway and perhaps this gateway is added in CCM4.x.
>
> To avoid this, make sure
>
> On CCM
> -------------
> 1. in service parameter, set offnet-to-offnet parameter to false
> 2. create a partion and put that partion in a CSS [name it toll-fraud]
> 3. assign CSS-toll-fraud css to all phones under line option in
> call-forward, busy VM etc.
> 4. Mark all CCM route patterns to Offnet for all patterns which are going
> to
> PSTN. e.g. 911 or 011 intl or whaever.
> 5. If thre is unity server involved, make sure you mask the call-forward
> options [assign css_toll-fraud on that] on all ccm to unity ports.
>
>
> On CME:
> ------------
> 1. Send the config and scenario the based on that you may need to mask the
> call-forward and call-transfer patterns.
>
>
> -Frog
> CCIE voice#21569
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:31 ART