Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Tag Archives: attack

Extreme SIP scanning latest week


There have never been so many SIP scannings in so short time for all my VoIP honeypots.They have tried all types, INVITES, REGISTER, SUBSCRIBES and OPTIONS.  A short list of some of the attackes latest 48 hours. Normally just doing a couple hundred extensions and passwords, some of these IPs trying up to 10 000 different extensions/passwords.

IP addresses [User-agent] Provider

119.147.116.157    [Asterisk]
193.47.153.14         [SIPVicious]
86.47.46.147          [First SIPVicious, then SIPPER for PhonerLite]
174.143.245.120  [SIPVicious]
174.129.52.240    [SIPVicious]     Amazone EC2
24.190.38.4            [SIPVicious]

So keep your systems ready for the flood to come! This is just the start.

Advertisements

SIP scanning causes DDoS on IP 1.1.1.1


RIPE said a long time ago that IPv4 is running out of addresses. Now they are also allocating the 1.x.x.x network for production traffic. But this is a bit problematic, since people have been using IP addresses like 1.1.1.1 and 1.2.3.4 as examples in scripts, tools and manuals. People who don’t know any better, they try contact these. When they routes to these networks where alive, a LOT of traffic started coming in.

What made it interesting for Sandro in EnableSecurity was that most traffic was UDP (60 %) and almost 90 % to IP addresss 1.1.1.1. This is a text from RIPEs article about it:

We found that almost 60% of the UDP packets are sent towards the IP address 1.1.1.1 on port 15206 which makes up the largest amount of packets seen by our RRC. Most of these packets start their data section with 0x80, continue with seemingly random data and are padded to 172 bytes with an (again seemingly random) 2 byte value.

This can actually be RTP traffic (VoIP audio traffic) generated from hosts that are vulnerable to SIP INVITE attacks, as Sandro points out in his comment and on his blog.

This is also alarming! This scanning with default RTP audio to IP 1.1.1.1 and port 15206 seems to be doing REALLY well on the Internet. There are a lot of VoIP unsecure platforms accepting and responding to ANY SIP INVITE they get. The software doing it is NOT SIPVicious, but another. It normally uses port 3058 to send the SIP INVITES from. If anybody knows something about this software, please contact me.

I have had a slide in my VoIP presentations about this scenario. If you do a SIP INVITE sweep, you should NOT have a valid IP address for the audio. Every successful INVITE would then generate at least 20 seconds of 0,1Mbit per second stream (g711 audio) to your IP address. Your SIP INVITE sweep with your IP as receiver for RTP traffic will not take long before it backfires on you and you get a DDoS on yourself (well earned though IMHO).

So what is next?

I would love to have a honeypot or get access to the traffic going to port 1.1.1.1. All hosts that would send RTP traffic to this address, should be contacted and asked to secure their servers!

Status now from RIPE:

Since the traffic patterns seemed to be stable we decided to withdraw the announcement of 1.1.1.0/24 and 1.2.3.0/24 on 2 February 2010.

Why are there VoIP attacks from port 3058?


Been picking up more and more hits in the VoIP honeypots lately. What puzzles me, is that several of those originate from different IPs but same port number. IANA assigned port 3058 to the following:

videobeans 3058/tcp videobeans
videobeans 3058/udp videobeans

IPs that has hit one or more of our honeypots the latest days:

From port 3058
64.62.243.6
67.23.3.128
69.64.38.111

Other ports
174.129.70.133
207.239.216.52
207.239.216.53
208.38.164.48

Notice the two consecutive IPs, 207.239.216.52 and .53.

But why port 3058… the reason is probably simple, but for now I’m guessing on the same software running on PCs with a public IP.
[ad]