Why does Cisco keep calling my Video Conference system?

You turn on the screen for your video conferencing system and you see dozens of calls all from “cisco” and wondering “What The Freak!!” Now before picking up the phone and trying to reach John Chambers at his unlisted back office line, it’s really NOT Cisco making these calls. It’s a tool some script kiddie wannabe hacker has released that allows miscreants to wardial H.323 video conference systems. This has gone on for some time with SIP based video conference systems and now it has hit H.323.question-mark

Whoa! You say – what’s wardial? or rather WarDial? Remember the movie WarGames¬†where teenage hacker David Lightman uses his computer to dial all the possible phone numbers in the Sunnyvale, California exchanges looking for a computer game company? That was wardialing. Back in 1983 this was quite doable as Sunnyvale probably had 10 exchanges assigned to it by Pacific Bell (remember them? Just before the divestiture of Ma Bell in 1984). Nowadays I think Sunnyvale alone has its own area code.

What these miscreants are doing with this H.323 wardialing application is sending out TCP packets on port 1720, starting in the class A IP addresses and going all the way through the end of the Class C’s looking for responding video conference systems. The origins of the traffic is worldwide. Several websites have popped up with a “blacklist” of originating IP ranges of this wardialing traffic, though as our colleage McKay has found using an IP blacklist on a router or firewall to stop these wardialers is like playing Whack-A-Mole.

Now wait a minute, I have some Vidyo video conference systems or I subscribe to IDVideoPhone and I’m not getting these wardialing calls. That’s correct. Vidyo does not use H.323 except for VidyoGateway. The video conference endpoints do not respond on port TCP/1720. Vidyo is a client-server architecture where the endpoints are joined to a master server (the VidyoPortal) and receive all commands from the VidyoPortal. The VidyoPortal only accepts calls from registered users of its system or if using IPC is permitted, registered users of another VidyoPortal. The VidyoGateway does answer calls on TCP/1720 for H.323, and it would answer with the Interactive Video Response (IVR) built into the VidyoGateway. However accessing the IVR doesn’t allow the caller access to an endpoint without knowing its proper extension. Theoretically it is possible to create a Denial of Service (DoS) on the IVR but it would require dozens of simultaneous TCP/1720 calls to do so. Something so far these script kiddies have not shown an interest in doing.

So how can I stop these annoying calls from “cisco” on my H.323 video conference system? You have a few options:

  1. Place your H.323 systems behind your firewall, and only allow outbound dialing
    1. Though this is quite secure, it also limits your video conference capability. Imagine if every business with video conference did this – that would be like everyone having phones that only called out.
  2. Place your H.323 systems behind the firewall, NAT, and have an IP blocklist
    1. Blocking solely on an IP blacklist is nothing more than Whack-A-Mole
    2. Implementing a whitelist of known IP addresses you expect to receive video conference calls and end the list with a “deny all” is doable but requires management by your IT department and may not be flexible with last minute video meetings.
  3. Register your H.323 systems with a gatekeeper and deny non-gatekeeper calls
    1. This is the better of the solutions so far – of course now your IT department must now maintain a separate piece of infrastructure for registering video endpoints
    2. If you don’t already have an E.164 dial plan, you’ll need to establish one
    3. This will add a bit of complexity to external callers trying to contact your video conference system – dial the gatekeeper then your endpoint’s extension
    4. So what if you have only one or two video conference endpoints? Do I buy a gatekeeper just for those? Not unless you really want to – there are IDSolutions cloud based solutions available.
  4. If you are a Lifesize customer with recent model endpoints such as Icon – you can subscribe to Lifesize Cloud, or implement UVC with ClearSea to serve as a gatekeeper
    1. IDS Infinity service offers a cloud based Lifesize UVC infrastructure that customers who do not wish to maintain their own infrastructure can have IDSolutions maintain it for them
  5. Switch out your H.323 based video conference systems for a Vidyo based conference solution.
    1. If you are nearing EOL/EOS on older Tandberg/Cisco or Polycom VSX systems this might a better investment than continuing maintenance on older infrastructure or endpoints

This script kiddie problem will not ever go away. It is here to stay. Unfortunately the days of unboxing a video conference system, assigning an IP address, and placing video calls are going away rapidly. Video conference systems going forward requires expertise in planning and deployment not only endpoints but also infrastructure. That’s where the experts at IDSolutions go to work. Contact one of our sales reps for more.

EDIT: Lifesize added anti-wardialing options to the 220 series of codecs. You can filter by items such as codec manufacturer, or establish a good list of “good” IP addresses while banning others.