April 14, 2010
Posted by on
There have never been so many SIP scannings in so short time for all my VoIP honeypots.They have tried all types, INVITES, REGISTER, SUBSCRIBES and OPTIONS. A short list of some of the attackes latest 48 hours. Normally just doing a couple hundred extensions and passwords, some of these IPs trying up to 10 000 different extensions/passwords.
IP addresses [User-agent] Provider
220.127.116.11 [First SIPVicious, then SIPPER for PhonerLite]
18.104.22.168 [SIPVicious] Amazone EC2
So keep your systems ready for the flood to come! This is just the start.