https://supportforums.cisco.com/discussion/11865446/lot-calls-numbers-100-and-101-looks-self-calls https://tools.cisco.com/bugsearch/bug/CSCue55239 SIP : Ghost call. SIP Port scanned from outside.
CSCue55239
Description
Symptom
Ghost call. It appears that the codec is calling itself automatically. Placing a codec on a public IP will cause calls from SIP scanners. These scanners (e.g. SipVicious) are used to detect possibilities for exploiting PSTN trunks. Solution is upgrade to TC6.2.0 or later and execute the following configurations:
xConfiguration SIP ListenPort: Off
xConfiguration SIP Profile 1 Outbound: On
Condition
The system is on public IP or reachable from the outside and not protected well enough. This makes it possible to initiate SIP calls over direct IP.
Workaround
Make sure the system is well protected and that it is placed in DMZ if you need to have it on public IP. It is possible to only allow calls from the VCS by disabling the listenport on 5060/5061, but then SIP outbound needs to be enabled so that the VCS can reach the endpoint.
xConfiguration SIP ListenPort: Off
xConfiguration SIP Profile 1 Outbound: On
An other option is if you do not need SIP disable that as most of these scans are just SIP/UDP.
You can try to block sip udp in the firewall thats a good start to block most of the unwanted calls. ( SIP messages - Port 5060 - UDP )
you should anyhow place the system behind(and as well only allow whas needed and block for example the management and system internal ports) a firewall
and use a call control like vcs, cucm, ...
You can disable SIP, use H323
H323 GHOST CALL:
It has come to our attention that numerous Videoconference (VC) systems have been receiving nuisance spam calls from a source system ID ‘Cisco’.
This new type of attack is getting initiated from a special tool installed on cloud hosted servers, and is automated to scan a random list of IP addresses on the H.323 VC protocol.
The spam calls show clear and real source IP address, and use the standard network port and VC protocol, similar to any legitimate call, which makes it difficult for the VC system to identify and block it.
The main four video conferencing venders (Cisco, Polycom, Lifesize and Avaya) are aware about this issue and are investigating it. We will provide an update once we get any further information.
Meanwhile, you can take one or more of the below actions to avoid nuisance calls:
1. Deploy a Traversal server (Videoconference Firewall) on your network to protect your system
2. Configure your firewall to block the source IP addresses (if known)
3. Disable the ‘Auto Answer’ option on your system when you don’t need it
4. Enable ‘Do Not Disturb’ (if it is supported by your system) when you are not expecting any inbound call / additional participant joining a Multiway conference
For reference:
http://www.videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/ To find the call history: WEB interface >> log files >> call_history.log
5. How to configure an endpoint so that I am not disturbed by incoming calls when I′m already in a call:
You need to configure this by enabling the MultiSite feature.
1. Enter the IP address of your codec on a web browser.
2. Select Configurations and Advanced Configurations.
3. Select Conference 1 from the menu on the left.
4. In the scroll down menu for IncomingMultisiteCall Mode select Deny.
This will also apply to systems without Multisite installed and you do not get an incoming telephone call when you are already in a call.
This can be configured on the below mention product models -
Cisco TelePresence SX20 Quick Set
Cisco TelePresence Codec C20
Cisco TelePresence Codec C40
Cisco TelePresence Codec C60
Cisco TelePresence Codec C90
Cisco TelePresence MX200
Cisco TelePresence MX300
Cisco TelePresence EX60
Cisco TelePresence EX90