For those of you who open their Cisco CUBE to 0.0.0.0 0.0.0.0 or issue the no ip address trusted list command, hopefully this may change your mind.
If you have an internet facing Cisco Unified Border Element (CUBE), as of Cisco IOS 15.1(2)T, the IP Address Trusted List was introduced to minimize Toll Fraud. While a pain point for many engineers at first, it has become quite handy.
I have seen the list in action before, but mainly configuration “by accident” where the carrier did not have the correct registrar IP address on the customer order. This is the first time I have seen an attempt across my equipment and it is a simple reminder how insecure the Internet truly is.
Below is a debug ccsip messages exert that shows the Toll Fraud prevention mechanisms being invoked by the IP Address Trusted List. Hint: 195.154.181.21 is not part of my list.
Border-RTR#SIP/2.0 503 Service Unavailable Via: SIP/2.0/UDP 195.154.181.21:5080;branch=z9hG4bK-c0a10099d1bc8f2aa7ef3182ffc78dc3;rport From: 1000<sip:1000@24.210.138.70>;tag=4dcce9ec To: 777011972597751891<sip:777011972597751891@24.210.138.70>;tag=6458FF4-249E Date: Tue, 13 May 2014 04:46:37 GMT Call-ID: c0a10099d1bc8f2aa7ef3182ffc78dc3 CSeq: 1 INVITE Allow-Events: kpml, telephone-event Server: Cisco-SIPGateway/IOS-15.3.3.M Reason: Q.850;cause=87 Content-Length: 0 007121: May 13 00:46:38.410 EDT: //1532/67125B538142/SIP/Msg/ccsipDisplayMsg: Sent:
A cool link found while looking into the number was the networksystemssolutions.info VOIP Block list. While the IP address of the fraudulent call was not on this list, the phone number attempted was. Better luck at the next scanned IP.