Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

An old SIP scanning has started again.


Now the scanning has started again.
For those remembering back in 2008 there was a large scanning in Germany, where customers with softphones experienced incoming calls (very annoying during the night..), it has now started again. A good paper from ipcom.at describing it extensively.

What caugt my attention was the very long branch and callid fields. They contain IP of the scanner, the scanned victim, the phone number trying to be called and several other fields (if you know what the rest of the codes are, please let me know!)

INVITE sip:82727117149111@the.honeypot.ip;transport=udp SIP/2.0
Via: SIP/2.0/UDP 202.71.111.5:3916;branch=11010010111010001010101000110202.71.111.5the.honeypot.ip751302518;rport
Max-Forwards: 70
From: <sip:736115896703798455@the.honeypot.ip>;tag=5475511560139881995954755115605475511560202.71.111.5
To: <sip:82727117149111@the.honeypot.ip>
Call-ID: ed6681d610110011110110100100110111000011010010111010001010101000110202.71.111.5the.honeypot.ip7513025181c895d9827271171491115475511560139881995954755115605475511560202.71.111.51621419374
CSeq: 1 INVITE
Contact: <sip:1c895d9@202.71.111.5:3916;transport=udp>
Content-Type: application/sdp
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: eyeBeam release 1003s stamp 31159
Content-Length: 208

v=0
o=- 16264 18299 IN IP4 the.honeypot.ip
s=CounterPath eyeBeam 1.5
c=IN IP4 the.honeypot.ip
t=0 0
m=audio 34222 RTP/AVP 18 0 8 101
– Hide quoted text –
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15

And no, it is definely not “CounterPath eyeBeam 1.5” but a custom-made scanner. This is just an indication that people are willing to put mony into developing software to attack these insecure VoIP servers.

Status now is frequent usage of stand-alone SIPviciuous and other scanners, and two kits doing extensively scanning:

the userAgent=sundayddr
they started this spring, getting scannings from all over the world, but an overweight of Chinese IP addresses.

the current scannings with “Counterpath” as user-agent.
They have been active before, and now started again (scanning latest month)

And this is just the beginning…. so secure your VoIP servers!

3 responses to “An old SIP scanning has started again.

  1. Mark Waters September 6, 2010 at 1:10 pm

    Thanks for blogging about this.

    I started seeing these on my asterisk console last saturday :-

    [Sep 3 22:07:02] NOTICE[17538] chan_sip.c: Call from ” to extension ‘27117149111’ rejected because extension not found.
    [Sep 4 00:12:58] NOTICE[17538] chan_sip.c: Call from ” to extension ‘027117149111’ rejected because extension not found.
    [Sep 4 02:19:09] NOTICE[17538] chan_sip.c: Call from ” to extension ‘0027117149111’ rejected because extension not found.
    [Sep 4 04:26:16] NOTICE[17538] chan_sip.c: Call from ” to extension ‘00027117149111’ rejected because extension not found.
    [Sep 4 06:34:42] NOTICE[17538] chan_sip.c: Call from ” to extension ‘000027117149111’ rejected because extension not found.
    [Sep 4 08:41:26] NOTICE[17538] chan_sip.c: Call from ” to extension ‘90027117149111’ rejected because extension not found.
    [Sep 4 10:48:48] NOTICE[17538] chan_sip.c: Call from ” to extension ‘01127117149111’ rejected because extension not found.

    unfortunately the asterisk logs don’t provide the ip address by default so I couldn’t setup fail2ban for this , I had to enable sip debug logging to find the ip address , turned out to be coming from 202.71.111.5 which I have now manually firewalled for now.

    Any suggestions would be appreciated.
    Thanks

  2. jm February 1, 2011 at 1:43 am

    I moved the port numbers far away from 5060 and I no longer see scanning activity. What they did was send an OPTIONS probe, and if the OPTIONS went un-replied to, the move on to the next IP address. So my router/firewall now sees these occasional OPTIONS probes to port 5060, they are dropped and that’s it.

    • Sjur Usken February 15, 2011 at 7:07 pm

      Hi, that is also an option, just change the port number from standard 5060. This can be a problem if you have a lot of end points going to connect to you, since they also need to change their port number. In my opinion you need a VPN or similar protection if you are going to have a “public” VoIP service. If your IP-PBX is open on port 5060, there is just a matter of time before anyone manages to brute-force one or more of the extensions. Thanks for the comment. Cheers

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: