SQL injection attacks on the increase

Every SIP server exposed to the Internet receives malicious SIP requests designed to find weaknesses and vulnerabilities that can be used to exploit your services. These will normally start within a couple of hours of it being connected.

Recently, I have seen a growing number of requests where the From header contains text designed to circumvent (or just break) checks that might be carried out using an SQL query.

Here are some examples I’ve captured:

From: <sip:' or 1=1--@;transport=UDP>
From: <sip:a'or'3=3--@;transport=UDP>
From: <sip:‘or‘a’='a@;transport=UDP>
From: <sip:‘hi'or‘x’='x';@;transport=UDP>
From:  <sip:'or''='@;transport=UDP>

Service providers and administrators need to identify these requests and drop them before they do any harm. They do all seem to have one common characteristic that would be easy to detect and block:

User-Agent: Z 3.14.38765 rv2.8.3

Another way to block the current batch would be to block the source IP addresses because so far they all seem to have come from the same subnet. The owner of the subnet almost certainly knows nothing about it, but you may want to block this portion of their IP address range for the time being:

Stop-Press: Activity from that address range has slowed and now I’m seeing a new one that is very active in the run-up to Christmas:

While wishing everyone a happy Christmas, please also be extra vigilant over the holiday period. It is a favourite time for VoIP fraud activity. The hackers work overtime during the Christmas and New Year break in the hope that they can push massive volumes of fraudulent traffic through your system for the longest possible length of time before anyone notices what is happening.

How to spot hacker INVITE requests

At Smartvox, we have access to log reports from a number of different SIP Proxy servers. The information available from these reports helps give some insight into the most common SIP requests being sent by hackers to detect and probe your VoIP servers.

Here’s some common characteristics of malicious INVITE requests that have been seen recently on Smartvox servers. Based on these characteristics, you might be able to configure your firewall, SBC or OpenSIPS proxy to cut out the unwanted requests as soon as they are received:

From header contains one of the following:

  • sip:100@
  • sip:voipgw@<senders-ip-address>
  • sip:8888888888@<senders-ip-address>
  • sip:trunk@<your-proxy-ip-address>
  • sip:user@<your-proxy-ip-address>
  • sip:test@<your-proxy-ip-address>
  • sip:admin@<your-proxy-ip-address>
  • sip:nm@nm

The From name (also called the display name) is “sipvicious”, “Caller”, “MAYET”, “Simple SIP” or “0123456789”

Another easy and reliable target for identifying malicious requests is to check for the User-Agent header being set to “friendly-scanner”.

It is becoming increasingly difficult to filter out malicious requests simply based on the User-Agent header. Recently I have seen many unwanted requests using “FPBX” or “FreePBX 1.8” which could too easily be from a legitimate customer. However, there may still be some benefit in triggering an alarm on your system or simply by blocking INVITE requests where the User-Agent header contains one of the following strings:

  • sipcli/v1.8
  • sipcli/v2.2
  • VaxSIPUserAgent/3.1
  • SIP Call
  • Cisco-CUCM8.6
  • SimpleSIP V4.3

In addition, the following strings are often found at the start of the User-Agent value, but may have long and varying character strings appended to them. They should therefore be checked using a sub-string match or regular expression:

  • Cisco-SIPGateway
  • Z 3.14

If your VoIP system, firewall or SBC doesn’t allow you to block this type of probing request, then it is much more likely to be hit by high volumes of malicious SIP requests from hackers looking for a weakness or vulnerability so they can use dial-through fraud on your system. Consider using a Smartvox OpenSIPS proxy server to upgrade your security. Give me a call or send an email.


Clustering OpenSIPS using Pacemaker

At Smartvox, all of our biggest clients are VoIP Service Providers who need their SIP-based services to be resilient and robust – able to keep working despite some random hardware failure or accidental tripping over the lead in the server room.

Systems that have built-in resilience are often referred to as “highly-available” and they make particular use of clustering methodologies. In IT, a cluster is simply a group of inter-connected servers that behave like a single system to provide high availability or load sharing. Widely used in the world of Linux is the ClusterLabs stack comprising Pacemaker and Corosync. If you are interested in learning more about using Pacemaker with OpenSIPS then please have a read of this new article just published in the Smartvox Knowledgebase:

Using ClusterLabs Pacemaker with OpenSIPS

OpenSIPS Summit 2016

Smartvox owner, John Quick, is looking forward to presenting a paper at the 2016 OpenSIPS Summit in Amsterdam in May.

The theme of my paper will be security and how to avoid getting clobbered by International Revenue Share Fraud incidents. Hope to see you there.