How to spot hacker INVITE requests

At Smartvox, we have access to log reports from a number of different SIP Proxy servers. The information available from these reports helps give some insight into the most common SIP requests being sent by hackers to detect and probe your VoIP servers.

Here’s some common characteristics of malicious INVITE requests that have been seen recently on Smartvox servers. Based on these characteristics, you might be able to configure your firewall, SBC or OpenSIPS proxy to cut out the unwanted requests as soon as they are received:

From header contains one of the following:

  • sip:100@1.1.1.1
  • sip:voipgw@<senders-ip-address>
  • sip:trunk@<your-proxy-ip-address>
  • sip:user@<your-proxy-ip-address>
  • sip:test@<your-proxy-ip-address>
  • sip:admin@<your-proxy-ip-address>
  • sip:nm@nm

The From name (also called the display name) is “sipvicious”

Another easy and reliable target for identifying malicious requests is to check for the User-Agent header being set to “friendly-scanner”.

It is becoming increasingly difficult to filter out malicious requests simply based on the User-Agent header. Recently I have seen many unwanted requests using “FPBX” or “FreePBX 1.8” which could too easily be from a legitimate customer. However, there may still be some benefit in triggering an alarm on your system or simply by blocking INVITE requests where the User-Agent header contains one of the following strings:

  • sipcli/v1.8
  • sipcli/v2.2
  • VaxSIPUserAgent/3.1
  • SIP Call
  • Cisco-CUCM8.6

In addition, the following strings are often found at the start of the User-Agent value, but may have long and varying character strings appended to them. They should therefore be checked using a sub-string match or regular expression:

  • Cisco-SIPGateway
  • AVAYA/SPICE/v
  • Z 3.14

If your VoIP system, firewall or SBC doesn’t allow you to block this type of probing request, then it is much more likely to be hit by high volumes of malicious SIP requests from hackers looking for a weakness or vulnerability so they can use dial-through fraud on your system. Consider using a Smartvox OpenSIPS proxy server to upgrade your security. Give me a call or send an email.

John