Live demo

Room System SPAM or GHOST calls

Last Updated: April 10, 2018 // 10:02 AM

H.323 and SIP Room Systems are basically IP-based connections on the public Internet. Originally, these units were built for an open Internet, before spammers and script-kiddies existed. For quite a few years stand-alone H.323 and SIP room systems have had to deal with fake SPAM and GHOST H.323 and SIP calls. SIP SPAM calls are generally more common. Some customers seem to like to point a finger at BlueJeans when they start receiving these annoying calls. But BlueJeans is not the culprit. If they have a room system connected to the Internet and are not restricting calls from any public IP addresses their room systems can receive these calls. Common videoconferencing protocols (H.323 and SIP) aren’t designed to verify that communications coming in on a videoconferencing port is a videocall before trying to answer the call. They just answer the call and assume that it’s another video system.

Most times these calls are harmless, but quite annoying, as it will dial the room system at any time. If the room system is set to "Auto-Answer" the call could actually connect. Worse yet, if the room system is set for "Auto-Answer" and has a "Multi-Site" feature (basically a software MCU) the fake caller can drop in disrupting an on-going meeting. However, most times these a like robo-calls with some script trying to find an open SIP connection for free calls. If a customer asks us about these calls, it should be pointed out that the calls are NOT coming from BlueJeans as it is a MeetMe service that does not dial out to anyone! No BlueJeans Relay is not the culprit either. These H.323 botnets and scripts dialing SIP have been around before BlueJeans was founded. They are well documented in the industry as a nuisance.  

The problem is that any H.323 or SIP room system that is exposed to the open internet is going to get probed on lots of ports, hundreds of times an hour. And even if a videoconferencing system is behind a firewall, the ports used for videoconferencing are sometimes “forwarded” to the internal network so that video calls can be received from anyone on the Internet. Getting one “phantom call” a week or even every day, may not be a big deal for some customers. However, what happens when they start getting five a minute? Well, it gets annoying very quickly – especially if you are already in a call and keep getting interrupted. Customer generally does not understand what is happening and is upset when he calls BlueJeans Support.

We can advise the customer on methods to stop these annoying calls.

NOTE: It is also a great idea for customers to make sure their room systems webUI is password protected. Only allowing the webUI to be reached from inside the network is also important for security.

1) First advice is to disable "Auto-Answer." This will not stop the SPAM calls and the room system will "still" ring, but at least the room system will not automatically answer. The customer needs to go into the room system webUI and disable the "Auto-Answer" feature. Most ALL room systems have this feature.

Polycom HDX - Admin Settings → System Settings → Auto Answer Point-to-Point Video:

    

2) Do Not Disturb setting will not only not answer automatically, but it will not ring at all for incoming calls. Basically they are ignored.

Polycom HDX - Admin Settings → System Settings → Auto Answer Point-to-Point Video:

    

Cisco Room System - Configuration → System Configuration → Conference → See AutoAnswer, DoNotDisturb and IncomingMultiSiteCall Mode settings

    

The IncomingMultiSiteCall setting this to deny will help if the Cisco Room System has the MultiSite Option installed which allows for multiple calls connected simultaneously to just a single room system (basically a software MCU).

3) Whitelist, Blacklist, Anti-Spam features

Room system makers have recognized the SPAM call problem. Some manufacturers have build some “anti-spam” features into their room systems. Below example is for a Lifesize Icon room system in a later version of the software allows for whitelist (who can call you) and blacklist (who can’t call you) systems based on IP address and domain name (see screenshot  below). It also prevents certain applications using SIP.

    

The "anti-spam" prevents the unwanted calls from calling the room system, but does not prevent the cause of unknown scripts or individuals from probing the room system.

4) Turn off the SIP protocol, if the room system is using H.323 to dial out. This generally will take care of 90% of the issues as there seems to be way more unwanted SIP traffic.

5) Turn Off SIP Listener Port

Turning off the SIP Listener Port is available via the webUI on some newer Cisco endpoints. Others maybe available via SSH into the endpoint. This will depend on the room system model and software version. For Cisco SX and EX series you can make the following change on the room system.

Cisco Room System - Configuration → System Configuration → SIP → ListenPort: Off

    
 
Some room system models and software versions you can access the room system via SSH. Customer such contact the room system maker's support if more info is needed for a particular room system.

NOTE: If you turn off SIP ListenPort, you will only be able to receive SIP calls if the room system is registered to either CUCM (Cisco Unified Call Manager) or VCS. One other work around is only open the necessary ports on your firewall, leaving 5060 UDP closed.

So far we are shown how to stop the unwanted calls at the room system. But the best suggestion is to do it at the Firewall. Most customers have their room systems sitting behind a firewall. So using the firewall for protection is the most sensible.

6) Firewall Prevention of port scans and unwanted SPAM and GHOST calls.

Block ALL Internet addresses from reaching the room system. Then allow only the addresses or domains that you wish to be able to call your system. This method works best, but note if the room system is expected to receive ad hoc incoming calls the firewall will have to be configured to allow these calls first. If the room system is used with BlueJeans and will only be dialing out this may be a great solution and the best for security.

NOTE: Alternatively, you can set the firewall to allow everyone by default but block a list of “bad addresses” that are known to be used by hackers.

7) SBC (Session Border Controller) like VBP (Video Border Proxy), Cisco VCS-Expressway can help. Putting the room system behind a firewall and using a firewall transversal device that tunnels your video calls through the firewall so that you don’t have to open ports can give more control to manage room systems. Most SBC like the VBP and VCS have been updated to combat the call SPAM problem.