帮顶贴，哪位专家来帮忙解答下：）

怀疑是SIP scanner造成的：
https://tools.cisco.com/bugsearch/bug/CSCue55239/?reffering_site=dumpcr：
命令行打开以下命令试试看：
xConfiguration SIP ListenPort: Off
xConfiguration SIP Profile 1 Outbound: On
Symptom
Ghost call. It appears that the codec is calling itself automatically. Placing a codec on a public IP will cause calls from SIP scanners. These scanners (e.g. SipVicious) are used to detect possibilities for exploiting PSTN trunks. Solution is upgrade to TC6.2.0 or later and execute the following configurations:
xConfiguration SIP ListenPort: Off
xConfiguration SIP Profile 1 Outbound: On
Condition
The system is on public IP or reachable from the outside and not protected well enough. This makes it possible to initiate SIP calls over direct IP.
Workaround
Make sure the system is well protected and that it is placed in DMZ if you need to have it on public IP. It is possible to only allow calls from the VCS by disabling the listenport on 5060/5061, but then SIP outbound needs to be enabled so that the VCS can reach the endpoint.
xConfiguration SIP ListenPort: Off
xConfiguration SIP Profile 1 Outbound: On

zhaowang 发表于 2015-1-15 13:58
怀疑是SIP scanner造成的：
https://tools.cisco.com/bugsearch/bug/CSCue55239/?reffering_site=dumpcr： ...

这个我试过，没有用的！还是会有同样问题！

应该能解决大部分吧，楼主看看这个办法有用不~

您好，不知您的问题是否已经得到满意答复，如果是请您选择“已解决”，感谢您的支持~~~

您好，以下是关于视频终端GHOST CALL产生原因以及避免手段的总结：
包括SIP和H323的GHOST CALL
视频终端配置公网IP将会被端口扫描工具搜索到，这是接收到GHOST CALL的根本原因

SIP : Ghost call. SIP Port scanned from outside.

CSCue55239

Symptom
Ghost call. It appears that the codec is calling itself automatically. Placing a codec on a public IP will cause calls from SIP scanners. These scanners (e.g. SipVicious) are used to detect possibilities for exploiting PSTN trunks. Solution is upgrade to TC6.2.0 or later and execute the following configurations:
xConfiguration SIP ListenPort: Off
xConfiguration SIP Profile 1 Outbound: On
Condition
The system is on public IP or reachable from the outside and not protected well enough. This makes it possible to initiate SIP calls over direct IP.
Workaround
Make sure the system is well protected and that it is placed in DMZ if you need to have it on public IP. It is possible to only allow calls from the VCS by disabling the listenport on 5060/5061, but then SIP outbound needs to be enabled so that the VCS can reach the endpoint.
xConfiguration SIP ListenPort: Off
xConfiguration SIP Profile 1 Outbound: On

An other option is if you do not need SIP disable that as most of these scans are just SIP/UDP.

You can try to block sip udp in the firewall thats a good start to block most of the unwanted calls.

you should anyhow place the system behind(and as well only allow whas needed and block for example the management and system internal ports) a firewall

and use a call control like vcs, cucm, ...

You can disable SIP, use H323

H323 GHOST CALL:

It has come to our attention that numerous Videoconference (VC) systems have been receiving nuisance spam calls from a source system ID ‘Cisco’.

This new type of attack is getting initiated from a special tool installed on cloud hosted servers, and is automated to scan a random list of IP addresses on the H.323 VC protocol.

The spam calls show clear and real source IP address, and use the standard network port and VC protocol, similar to any legitimate call, which makes it difficult for the VC system to identify and block it.

The main four video conferencing venders (Cisco, Polycom, Lifesize and Avaya) are aware about this issue and are investigating it. We will provide an update once we get any further information.

Meanwhile, you can take one or more of the below actions to avoid nuisance calls:

1. Deploy a Traversal server (Videoconference Firewall) on your network to protect your system

2. Configure your firewall to block the source IP addresses (if known)

3. Disable the ‘Auto Answer’ option on your system when you don’t need it

4. Enable ‘Do Not Disturb’ (if it is supported by your system) when you are not expecting any inbound call / additional participant joining a Multiway conference

For reference:

http://www.videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/

To find the call history: WEB interface >> log files >> call_history.log

5. How to configure an endpoint so that I am not disturbed by incoming calls when I′m already in a call:

You need to configure this by enabling the MultiSite feature.

1. Enter the IP address of your codec on a web browser.

2. Select Configurations and Advanced Configurations.

3. Select Conference 1 from the menu on the left.

4. In the scroll down menu for IncomingMultisiteCall Mode select Deny.

This will also apply to systems without Multisite installed and you do not get an incoming telephone call when you are already in a call.

This can be configured on the below mention product models -

Cisco TelePresence SX20 Quick Set

Cisco TelePresence Codec C20

Cisco TelePresence Codec C40

Cisco TelePresence Codec C60

Cisco TelePresence Codec C90

Cisco TelePresence MX200

Cisco TelePresence MX300

Cisco TelePresence EX60

Cisco TelePresence EX90

这个是电信运营商的SIP扫描攻击, SX终端入会后建议立即设置"免打扰",开完会议后随即关机. 如有条件,还是要把视频会议终端放在防火墙后面.