How to spot hacker INVITE requests

At Smartvox, we have access to log reports from a number of different SIP Proxy servers. The information available from these reports helps give some insight into the most common SIP requests being sent by hackers to detect and probe your VoIP servers.

Here’s some common characteristics of the malicious INVITE requests that can be used to cut them out as soon as they are received:

From header contains one of the following:

  • sip:100@1.1.1.1
  • sip:voipgw@<senders-ip-address>
  • sip:trunk@<your-proxy-ip-address>
  • sip:user@<your-proxy-ip-address>
  • sip:nm@nm

The From name (also called the display name) is “sipvicious”

User-Agent header contains one of the following:

  • friendly-scanner
  • sipcli/v1.8
  • sipcli/v2.2
  • SIP Call
  • Cisco-SIPGateway           (this one must be done as a partial match because it has varying char.strings appended at the end)

If your VoIP system, firewall or SBC doesn’t allow you to block this type of probing request, then it is much more likely to be hit by high volumes of malicious SIP requests from hackers looking for a weakness or vulnerability so they can use dial-through fraud on your system. Consider using a Smartvox OpenSIPS proxy server to upgrade your security. Give me a call or send an email.

John