The problem


“My videoconferencing system keeps ringing !”

One day I was in the conference room checking some emails. The video system was turned on and it was in standby mode.

At some point I heard it ringing… there was an incoming call ! I knew the schedule and there was no booking at this time.

The incoming call on the screen showed a funny international number and it also showed the identification text of the caller (the site name setting in some systems) that was simply “Zap” !

I instantly knew what was going on. I expected that this incoming call would stop and another one would start. And it did. And it kept going on.


The cause of the problem


The cause of the problem, put simply, is hackers. Hackers tend to scan the Internet to find services such as Video or VoIP. They usually identify an open 5060 port as a VoIP port. They also scan for the H.323 call setup port which is TCP 1720. Their purpose is to find a way to make a free phonecall. To do this, they must “call in” your VoIP network through your SIP server or H.323 Gatekeeper and then “call out” of your network using the ISDN/PSTN by dialing a phone number.

The way they try to do it is by using automated dialing software. After this software identifies the available services listening on your public IP addresses, it starts dialing consecutive numbers, in an effort to guess gateway dialing patterns.


The impact


The impact of this issue is important to the company experiencing the hacking attempt.

Although you may think that the most important issue is the danger of getting charged for calls you never made, this is actually number 2 in the list! Yes, if the software succeeds in finding a way to dial, then you may be charged for calls to French Polynesia. But this rarely succeeds and needs a very long time ringing the system.

The biggest impact is the disruption of your service and user nuisance. The system keeps ringing and people cannot have a meeting !

The network can be configured in such a way that video systems cannot dial an outside line. You can do this using rules and ACLs at the application layer level, usually in the H.323 Gatekeeper or SIP server. Assuming that you have made this configuration, you are safe and these calls cannot be made. But the hacking software does not know this ! As long as your public address is discovered with a listening VoIP service, the hacking software will continue dialing. It may rotate between your system and other systems that it discovered on the internet. It will definitely come back to your system and each time it will ring for long periods of time, such as 30 minutes, 1 hour or so.

You are safe from being charged, but you cannot have a video call ! The system keeps ringing ! You are in the middle of a video connection and it keeps annoying and distracting the users  !

Solution 1 : No incoming calls


Some businesses choose to interpret security as “no incoming video calls”. This solves the issue of incoming nuisance calls but at a very high cost. I see this solution as a bad quick fix, or rather as the absence of a solid security plan for the company’s communications.

I have to mention it since it does exist in the industry, but I do not recommend it for the reason that this solution restricts communication. It is like restricting your mobile phone to only dial-out. You have blocked all incoming calls. People cannot call you. Would you ever do that ?


Solution 2 : Firewall with IP whitelist


To stop unwanted incoming calls, you could use the firewall’s IP whitelist. This is a list which contains specific IP addresses that are allowed by the firewall. These would be your company’s branches, an associate’s IP address etc. But these have to be specified one by one.

If someone needs to call in to your system, you have to inform the firewall administrator and provide the IP address of the remote system. The firewall administrator will enable the IP address in the whitelist and your communication will be successful. After the call, the administrator has to disable this address again.

All this is administrative overhead and if your video calls are very few and important, such as one call every two months, then this could work. But if you are looking into enabling your company’s communications and cutting down costs, then you’re in trouble. Imagine 10 calls a week and people trying to get the remote IP addresses of every single third party, asking the firewall admins to include them in the whitelist, remove them after the call and all this all over again next week. The administrative work becomes unmanageable, unfair for the administrators and most of all it impedes the user’s ability to communicate.

If we continue the previous example with the mobile phone, now you have allowed people to call you but only if they arrange it with you by sending you an email to give you their number. You then give the number to your telephony administrator to include it in the allowed numbers.

This is often a preferred solution by firewall administrators, because it preserves their control over the network and guarantees security. Although a better solution than solution 1, it still does not fully enable video communications for the business. The firewall administrators usually feel safe that there is no way an unauthorized call can take place. Still, there is a significant violation of an important security rule by the firewall administrators themselves: You have exposed a network system out in the open ! On the public internet ! (Remember this article is about your video system ringing, i.e. we start with the assumption that it is out on the public internet). You protect all computers and servers, hidden away from the public IPs, in internal private networks. You sometimes have two NAT processes in place… but you put the Video system out in the open …!

Solution 3 : Session Border Controller


This is the best and most complete solution. A video Session Border Controller is a device that is made to solve several problems with video calls traversing the boundary of a network. This device can help with malicious and nuisance calls as they were described above because SBCs usually have options to filter out the wanted dial-in numbers from unwanted numbers.

Nuisance calls are usually probing calls that try several hundreds of sequential numbers per minute and this is not something that an ordinary (even expensive) firewall can pick up because this process takes place in the application layer (SIP or H.323). An SBC works in the application layer and can use ACLs and Regular Expressions to distinguish legitimate dial-in numbers from unwanted random numbers.

If your infrastructure involves many systems and a corporate level of service, it is by far recommended to use an SBC and solve this problem which has become worse the last few years.

Incoming nuisance calls from hackers can be very frustrating, can cause unexpected phone bills and derail the video infrastructure. If you take the necessary steps to mitigate the issues, then your business will receive the benefits of conferencing and move forward… while others will be struggling to have a video call, constantly hearing the incoming call ringing tone !


Dennis Zervas

Certified Video Engineer