H.323 ‘Cisco’ Spam Calls Alert – Latest Update 01/06/2015

It has come to our attention that numerous Videoconference (VC) systems have been receiving nuisance spam calls from a source system ID ‘Cisco’.

This new type of attack is getting initiated from a special tool installed on cloud hosted servers, and is automated to scan a random list of IP addresses on the H.323 VC protocol.

The spam calls show clear and real source IP address, and use the standard network port and VC protocol, similar to any legitimate call, which makes it difficult for the VC system to identify and block it.

The main four video conferencing venders (Cisco, Polycom, Lifesize and Avaya) are aware about this issue and are investigating it. We will provide an update once we get any further information.

Meanwhile, you can take one or more of the below actions to avoid nuisance calls:

    • Deploy a Traversal server (Videoconference Firewall) on your network to protect your system
    • Configure your firewall to block the source IP addresses (if known) – Please see below
    • Disable the ‘Auto Answer’ option on your system when you don’t need it
    • Enable ‘Do Not Disturb’ (if it is supported by your system) when you are not expecting any inbound call / additional participant joining a Multiway conference

 

Latest Update: (01/06/15)

Further to the previous updates regarding the Lifesize Antispam mechanism, Lifesize has release the software revision ‘LS_RM3_2.4.0‘.

Videonations has been testing it for the last few weeks, and we can confirm that it has successfully stopped all VC spam calls.

If you need further assistance call our support team directly on +44 0161 926 3050.

 

Update: (29/04/15)

Lifesize has already updated Lifesize-Cloud firmware with a new software revision that includes an AntiSpam feature. This feature is expected to be included in the next software revision of Lifesize Icon LS_RM3_2.4.0. AntiSpam mechanism based on Whitelist/Blacklist, by filtering source IP addresses and Domains on both H.323 and SIP protocols.

In addition, SIP Whitelist and Blacklist can filter SIP users/agents, and H.323 Whitelist can filter H.323 Ids (Vender Id Filtering) and H.323 Extension, and it can check the dialled digits.

Our investigation shows that the “Cisco” H.323 spam calls are generated from an open source PBX platform called Asterisk, therefore filtering vender Ids could successfully block them.

 

 

Additional IP Address Blacklist: (09/04/15)

162.243.223.37
188.40.158.175
188.40.47.245
188.40.95.125
201.205.255.56
203.143.21.49
203.143.29.13
204.80.88.243
208.70.56.60
208.99.113.155
210.18.3.140
46.252.148.85
83.220.163.61
85.214.155.83
88.198.217.213
103.28.38.106
173.208.196.231
177.185.48.8
188.40.158.169
197.231.244.24
199.168.112.38
209.41.161.201
216.218.189.91
50.22.11.50
50.30.119.83
50.57.71.147
54.200.152.3
66.162.82.7
87.106.182.16
92.27.146.164
93.180.63.163
95.213.129.179
95.85.63.56
155.210.153.20
162.222.226.185
184.168.68.152
184.72.226.67
192.73.243.88
199.168.112.71
207.166.134.62
208.43.10.227
209.197.191.77
210.245.90.163
58.83.237.14
67.207.143.73
69.65.17.180
76.180.236.54
8.30.244.26
188.40.23.33
223.27.16.71
88.198.217.209

 

Additional IP Address Blacklist: (21/01/15)

103.21.218.154
103.28.37.174
107.0.160.47
107.1.81.129
109.238.243.19
118.69.241.173
119.145.105.6
12.164.166.106
174.79.48.120
176.103.48.30
176.103.50.26
186.148.209.4
187.22.8.22
187.84.144.21
188.40.158.171
188.40.159.173
192.99.42.37
193.107.16.66
193.169.86.15
195.251.203.200
195.35.128.42
206.225.80.25
208.115.227.42
209.197.191.75
212.178.124.122
212.69.197.244
212.69.198.30
222.122.229.110
24.227.199.37
41.221.5.198
50.17.210.173
65.123.224.131
70.91.32.157
72.9.154.152
72.9.154.208
72.9.154.44
76.72.167.233
81.2.71.226
83.96.168.161
85.214.132.71
85.214.246.93
87.106.61.80
88.131.111.212
88.157.198.51
89.175.189.244
91.226.212.72
91.83.236.154
92.39.60.91
92.43.112.80
94.180.115.53
98.191.250.42

 

IP Address Blacklist: (06/11/14)

113.105.65.152
123.30.145.15
123.30.180.151
155.210.153.18
157.86.6.21
160.217.6.6
162.247.13.5
180.42.38.252
183.91.16.80
184.95.152.30
190.144.8.146
190.210.97.99
190.215.13.145
191.241.39.2
192.198.85.133
192.241.216.209
192.73.243.62
194.186.1.25
195.120.220.31
198.245.51.122
199.27.89.22
200.23.251.182
200.43.140.19
201.174.78.62
201.33.235.198
202.215.5.237
202.57.32.35
202.65.119.162
202.65.121.186
202.93.176.243
203.143.104.114
203.162.79.155
206.116.19.62
206.191.192.4
206.71.148.20
209.177.93.2
209.200.253.200
209.251.103.232
210.125.64.233
210.66.226.145
210.91.78.201
211.152.51.201
211.16.217.137
212.152.181.211
212.182.57.150
212.48.68.23
213.21.169.14
213.97.35.34
217.11.187.222
217.12.204.127
217.17.48.129
217.7.226.76
219.146.12.180
27.251.106.77
27.251.150.44
4.59.116.99
41.72.146.236
46.170.123.99
5.135.127.38
50.57.99.176
50.63.137.18
50.63.58.104
54.225.86.175
58.83.187.22
62.68.135.112
64.221.57.243
65.23.95.226
66.241.103.37
68.235.34.138
69.11.252.171
69.54.76.17
69.54.76.23
70.166.27.17
72.249.45.157
74.201.86.162
74.95.24.49
75.101.143.102
8.26.191.15
80.21.201.220
80.45.167.51
81.174.17.34
81.2.71.227
82.146.33.58
82.188.213.26
82.190.174.8
82.204.179.162
82.35.15.107
82.98.168.5
83.16.211.90
83.169.1.17
83.170.89.61
83.223.97.191
85.214.216.176
85.236.48.60
85.25.109.205
85.9.50.130
88.80.208.221
89.105.151.177
89.36.133.86
91.222.250.13
94.143.64.9
95.128.229.200
98.109.76.36