The lastest week there has been a tremendous SIP scanning from IPs all over the world latest week. The scannings are coming from a lot of IPs but the same signature, so it is probably only one person/firm behind this.
The scanning is this:
OPTIONS sip:100@X.X.X.X SIP/2.0
Via: SIP/2.0/UDP 192.168.1.9:5060;branch=
z9hG4bK-31055767;rport
Content-Length: 0
From: “sipsscuser”<sip:100@192.168.1.9>; tag=01669016334862887007103185718785156498385702949
Accept: application/sdp
User-Agent: sundayddr
To: “sipssc”<sip:100@192.168.1.9>
Contact: sip:100@192.168.1.9:5060
CSeq: 1 OPTIONS
Call-ID: 022827170099429274868738305
Max-Forwards: 70
The lay-out of the OPTIONS messages is the same as in
SIPVicious scannings, so the author has taken this python code and just changed the User-Agent.
And this is just the beginning….
Pingback: Blog SegInfo – Segurança da Informação – Tecnologia – Notícias, Artigos e Novidades » Blog Archive » Usando botnets para escanear tráfego SIP
I can second this. Our network is one of the targets of this scanning. Since it started, we have about 30000 extra connections registered on our firewall. It has a default udp lifetime of 2 minutes, so we have more than 30000 sip scans every second for the moment…
So the space in front of the from-tag is by purpose for client identification?
It is the “UserAgent” String that identifies the useragent. the From tag can also be used, but is normally a number.
I have been struggling with about 5500 requests per second when I am beign attacked. I ended up using ACL’s on my internet facing router to only allow requests to my SIP port from trusted hosts.
Not sure if this is the best way to handle it, but it seems to have worked.
It is possible to use ACL’s, but the scans are now coming from all over the Internet. You could install software that works like a bouncer for unwanted SIP messages. It will analyse the SIP message, and according to your rules, it will not accept SIP scans, just your regular SIP User Agents.