Thank You Cisco CUBE IP Address Trusted List

For those of you who open their Cisco CUBE to or issue the no ip address trusted list command, hopefully this may change your mind.

If you have an internet facing Cisco Unified Border Element (CUBE), as of Cisco IOS 15.1(2)T, the IP Address Trusted List was introduced to minimize Toll Fraud.  While a pain point for many engineers at first, it has become quite handy.

I have seen the list in action before, but mainly configuration “by accident” where the carrier did not have the correct registrar IP address on the customer order.  This is the first time I have seen an attempt across my equipment and it is a simple reminder how insecure the Internet truly is.

Below is a debug ccsip messages exert that shows the Toll Fraud prevention mechanisms being invoked by the IP Address Trusted List.  Hint: is not part of my list.

Border-RTR#SIP/2.0 503 Service Unavailable
Via: SIP/2.0/UDP;branch=z9hG4bK-c0a10099d1bc8f2aa7ef3182ffc78dc3;rport
From: 1000<sip:1000@>;tag=4dcce9ec
To: 777011972597751891<sip:777011972597751891@>;tag=6458FF4-249E
Date: Tue, 13 May 2014 04:46:37 GMT
Call-ID: c0a10099d1bc8f2aa7ef3182ffc78dc3
Allow-Events: kpml, telephone-event
Server: Cisco-SIPGateway/IOS-15.3.3.M
Reason: Q.850;cause=87
Content-Length: 0

007121: May 13 00:46:38.410 EDT: //1532/67125B538142/SIP/Msg/ccsipDisplayMsg:

A cool link found while looking into the number was the VOIP Block list.  While the IP address of the fraudulent call was not on this list, the phone number attempted was.  Better luck at the next scanned IP.


Leave a Reply

Your email address will not be published. Required fields are marked *