Every SIP server exposed to the Internet receives malicious SIP requests designed to find weaknesses and vulnerabilities that can be used to exploit your services. These will normally start within a couple of hours of it being connected.
Recently, I have seen a growing number of requests where the From header contains text designed to circumvent (or just break) checks that might be carried out using an SQL query.
Here are some examples I’ve captured:
From: <sip:' or email@example.com;transport=UDP> From: <sip:firstname.lastname@example.org;transport=UDP> From: <sip:‘or‘a’='email@example.com;transport=UDP> From: <sip:‘hi'or‘x’='x';@18.104.22.168;transport=UDP> From: <sip:'firstname.lastname@example.org;transport=UDP>
Service providers and administrators need to identify these requests and drop them before they do any harm. They do all seem to have one common characteristic that would be easy to detect and block:
User-Agent: Z 3.14.38765 rv2.8.3
Another way to block the current batch would be to block the source IP addresses because so far they all seem to have come from the same subnet. The owner of the subnet almost certainly knows nothing about it, but you may want to block this portion of their IP address range for the time being:
Stop-Press: Activity from that address range has slowed and now I’m seeing a new one that is very active in the run-up to Christmas:
While wishing everyone a happy Christmas, please also be extra vigilant over the holiday period. It is a favourite time for VoIP fraud activity. The hackers work overtime during the Christmas and New Year break in the hope that they can push massive volumes of fraudulent traffic through your system for the longest possible length of time before anyone notices what is happening.