Now the scanning has started again.
For those remembering back in 2008 there was a large scanning in Germany, where customers with softphones experienced incoming calls (very annoying during the night..), it has now started again. A good paper from ipcom.at describing it extensively.
What caugt my attention was the very long branch and callid fields. They contain IP of the scanner, the scanned victim, the phone number trying to be called and several other fields (if you know what the rest of the codes are, please let me know!)
INVITE sip:82727117149111@the.honeypot.ip;transport=udp SIP/2.0
Via: SIP/2.0/UDP 202.71.111.5:3916;branch=11010010111010001010101000110202.71.111.5the.honeypot.ip751302518;rport
Max-Forwards: 70
From: <sip:736115896703798455@the.honeypot.ip>;tag=5475511560139881995954755115605475511560202.71.111.5
To: <sip:82727117149111@the.honeypot.ip>
Call-ID: ed6681d610110011110110100100110111000011010010111010001010101000110202.71.111.5the.honeypot.ip7513025181c895d9827271171491115475511560139881995954755115605475511560202.71.111.51621419374
CSeq: 1 INVITE
Contact: <sip:1c895d9@202.71.111.5:3916;transport=udp>
Content-Type: application/sdp
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: eyeBeam release 1003s stamp 31159
Content-Length: 208
v=0
o=- 16264 18299 IN IP4 the.honeypot.ip
s=CounterPath eyeBeam 1.5
c=IN IP4 the.honeypot.ip
t=0 0
m=audio 34222 RTP/AVP 18 0 8 101
– Hide quoted text –
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
And no, it is definely not “CounterPath eyeBeam 1.5” but a custom-made scanner. This is just an indication that people are willing to put mony into developing software to attack these insecure VoIP servers.
Status now is frequent usage of stand-alone SIPviciuous and other scanners, and two kits doing extensively scanning:
the userAgent=sundayddr
they started this spring, getting scannings from all over the world, but an overweight of Chinese IP addresses.
the current scannings with “Counterpath” as user-agent.
They have been active before, and now started again (scanning latest month)
And this is just the beginning…. so secure your VoIP servers!
Sjur Usken 
Thanks for blogging about this.
I started seeing these on my asterisk console last saturday :-
[Sep 3 22:07:02] NOTICE[17538] chan_sip.c: Call from ” to extension ‘27117149111’ rejected because extension not found.
[Sep 4 00:12:58] NOTICE[17538] chan_sip.c: Call from ” to extension ‘027117149111’ rejected because extension not found.
[Sep 4 02:19:09] NOTICE[17538] chan_sip.c: Call from ” to extension ‘0027117149111’ rejected because extension not found.
[Sep 4 04:26:16] NOTICE[17538] chan_sip.c: Call from ” to extension ‘00027117149111’ rejected because extension not found.
[Sep 4 06:34:42] NOTICE[17538] chan_sip.c: Call from ” to extension ‘000027117149111’ rejected because extension not found.
[Sep 4 08:41:26] NOTICE[17538] chan_sip.c: Call from ” to extension ‘90027117149111’ rejected because extension not found.
[Sep 4 10:48:48] NOTICE[17538] chan_sip.c: Call from ” to extension ‘01127117149111’ rejected because extension not found.
unfortunately the asterisk logs don’t provide the ip address by default so I couldn’t setup fail2ban for this , I had to enable sip debug logging to find the ip address , turned out to be coming from 202.71.111.5 which I have now manually firewalled for now.
Any suggestions would be appreciated.
Thanks
I moved the port numbers far away from 5060 and I no longer see scanning activity. What they did was send an OPTIONS probe, and if the OPTIONS went un-replied to, the move on to the next IP address. So my router/firewall now sees these occasional OPTIONS probes to port 5060, they are dropped and that’s it.
Hi, that is also an option, just change the port number from standard 5060. This can be a problem if you have a lot of end points going to connect to you, since they also need to change their port number. In my opinion you need a VPN or similar protection if you are going to have a “public” VoIP service. If your IP-PBX is open on port 5060, there is just a matter of time before anyone manages to brute-force one or more of the extensions. Thanks for the comment. Cheers