Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Using botnets to do SIP scanning

The lastest week there has been a tremendous SIP scanning from IPs all over the world latest week. The scannings are coming from a lot of IPs but the same signature, so it is probably only one person/firm behind this.

The scanning is this:

OPTIONS sip:100@X.X.X.X SIP/2.0
Via: SIP/2.0/UDP;branch=

Content-Length: 0
From: “sipsscuser”<sip:100@>; tag=01669016334862887007103185718785156498385702949

Accept: application/sdp
User-Agent: sundayddr
To: “sipssc”<sip:100@>
Contact: sip:100@
Call-ID: 022827170099429274868738305
Max-Forwards: 70
The lay-out of the OPTIONS messages is the same as in SIPVicious scannings, so the author has taken this python code and just changed the User-Agent.
And this is just the beginning….

6 responses to “Using botnets to do SIP scanning

  1. Pingback: Blog SegInfo – Segurança da Informação – Tecnologia – Notícias, Artigos e Novidades » Blog Archive » Usando botnets para escanear tráfego SIP

  2. Wim Holemans July 12, 2010 at 9:26 pm

    I can second this. Our network is one of the targets of this scanning. Since it started, we have about 30000 extra connections registered on our firewall. It has a default udp lifetime of 2 minutes, so we have more than 30000 sip scans every second for the moment…

  3. Klaus D July 13, 2010 at 9:27 am

    So the space in front of the from-tag is by purpose for client identification?

  4. Cameron July 19, 2010 at 6:13 am

    I have been struggling with about 5500 requests per second when I am beign attacked. I ended up using ACL’s on my internet facing router to only allow requests to my SIP port from trusted hosts.

    Not sure if this is the best way to handle it, but it seems to have worked.

    • sjur July 19, 2010 at 12:54 pm

      It is possible to use ACL’s, but the scans are now coming from all over the Internet. You could install software that works like a bouncer for unwanted SIP messages. It will analyse the SIP message, and according to your rules, it will not accept SIP scans, just your regular SIP User Agents.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: