SCF Advanced Search



  • Total Posts: 38475
  • Total Topics: 13022
  • Online Today: 1265
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)


Author Topic: Global SIP Attack Activity  (Read 3636 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Global SIP Attack Activity
« on: 10. October 2008., 08:16:21 »

UDP port 5060 scans by origin country. Japan and Kyrgyzstan lead.

SIP, or “session initiation protocol”, is used by VoIP services to set up and manage calls. It’s a lot like HTTP in how it uses URI forms to specify who is calling whom and what action they want to take. It’s also insecure as it’s typically implemented, with many attack models and a growing number of them being studied. By default, SIP uses UDP port 5060 for communications.

We’re also seeing a growth in SIP deployments as VoIP services continue to grow globally. This growth is mirrored by the growing interest of hackers and attackers, both in terms of tools but also in terms of activity.

Digging into ATLAS we can start to look at SIP scan and exploit activity over the past 30 days. SIP attacks are uncommon in ATLAS and are usually not visible as a global “top 20″. When we do go looking for it, however, what we see isn’t terribly surprising.

Firstly, the most popular attack traffic we have fingerprinted is from SIPVicious, “a set of tools that can be used to audit SIP based VoIP systems” as described by the author. This is to be expected, folks will usually just run whatever canned tools are out there. SIPVicious’ tools are very basic and what you would expect, basically allowing for a SIP inventory on a network. The second most popular attack is a generic flood to port UDP port 5060, with exploit activity for the MultiTech SIP overflow (CVE-2005-4050) coming in third.

Secondly, these attacks are coming primarily from two countries: Japan (38% of attacks over the past 30 days) and, of all places, Kyrgyzstan with nearly 48% of the SIP attacks seen in ATLAS in the past 30 days. These attacks most often come from two hosts, (in NTT space) and in KTNET space.

Thirdly, generic SIP UDP/5060 scans are far more broadly sourced, coming from countries like South Afirca, the US, France, and the UK. These are probably done with generic tools like nmap or similar port scan tools.

Overall, VoIP attack activity is pretty rare on the Internet at this point, at least as measured by ATLAS. Most of the attacks we see at this point are probes. There’s no shortage of bugs in SIP devices such as soft phones and even hardware devices, and VoIP interruptions can be devastating. We expect this to increase in the coming years, although it’s hard to anticipate what attacks will come next. This is an under-researched area in computer security.

(Arbor Networks)

Samker's Computer Forum -

Global SIP Attack Activity
« on: 10. October 2008., 08:16:21 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising