SIP Spamming - are you getting Hoax VC calls?
Last Updated: 28/08/2014
"SIP Spamming" These
SIP Spam calls originate from computers which are run by individuals who are
actually looking for VOIP phone systems. These computers try to connect to
hundreds and thousands of systems all the time, and try to trick them in to
letting them connect as if they were an extension on the phone system. Their
intended target is VOIP PBX's rather than for video conferencing system, it's
just that both VOIP phone systems and video systems can talk on the internet
using the same method called SIP. This is an industry wide issue that affects
all manufacturers who use the standards-based SIP protocol.
During SIP Spamming, these computers try to connect to hundreds and thousands of systems all the time, and try to trick them in to letting them connect as if they were an extension on the phone system, so that they can make normal, chargeable, phone calls. The people running the scheme can then sell on this knowledge or use it themselves to make phone calls at the expense of the company's phone system they've hacked. As you have seen, you often get several of these nuisance calls in a row as they try different methods of tricking the phone system that they're trying to connect to. Please note, video conferencing systems are a dead end for what these people are trying to do.
In the short term, the quickest way to stop these SIP Spam calls from happening is to disable SIP. In the LifeSize endpoint, just navigate to Administrator Preferences > Communications > SIP and set "SIP" to "Disabled" and the LifeSize endpoint will solely use the (default) H.323 calling protocol. If you have no need to use the SIP protocol, then this can also be the long term solution.
However, if you need to use the SIP protocol then you will need to take action at the firewall. Examples where you may need to have SIP enabled are if you have LifeSize Desktop clients, use SIP to register to a VOIP PBX phone system, or have third party systems which can only use SIP and not H.323. If you use SIP solely to connect to a phone system, then you should be able to block SIP at the firewall effectively, as in this scenario the LifeSize video systems only need to be able to talk SIP to the PBX and can use H.323 for video calls. If you need SIP to be open from the internet to the endpoint, your options are a little more technical. One suggestions is to implement some sort of whitelist or blacklist solution on the firewall. This would have to be of your own design. Whitelisting will be easier, the IT admin blocks SIP at the firewall except for known-good IP addresses. Blacklisting is a little more involved as it will be an ongoing maintenance issue. The IT admin looks at his firewall logs after an attack, and blocks the IP address that the attack originated from for a period of time.