How to spot hacker INVITE requests

At Smartvox, we have access to log reports from a number of different SIP Proxy servers. The information available from these reports helps give some insight into the most common SIP requests being sent by hackers to detect and probe your VoIP servers.

Here’s some common characteristics of malicious INVITE requests that have been seen recently on Smartvox servers. Based on these characteristics, you might be able to configure your firewall, SBC or OpenSIPS proxy to cut out the unwanted requests as soon as they are received:

From header contains one of the following:

  • sip:100@1.1.1.1
  • sip:voipgw@<senders-ip-address>
  • sip:8888888888@<senders-ip-address>
  • sip:trunk@<your-proxy-ip-address>
  • sip:user@<your-proxy-ip-address>
  • sip:test@<your-proxy-ip-address>
  • sip:admin@<your-proxy-ip-address>
  • sip:nm@nm

The From name (also called the display name) is “sipvicious”, “Caller”, “MAYET”, “Simple SIP” or “0123456789”

Another easy and reliable target for identifying malicious requests is to check for the User-Agent header being set to “friendly-scanner”.

It is becoming increasingly difficult to filter out malicious requests simply based on the User-Agent header. Recently I have seen many unwanted requests using “FPBX” or “FreePBX 1.8” which could too easily be from a legitimate customer. However, there may still be some benefit in triggering an alarm on your system or simply by blocking INVITE requests where the User-Agent header contains one of the following strings:

  • sipcli/v1.8
  • sipcli/v2.2
  • VaxSIPUserAgent/3.1
  • SIP Call
  • Cisco-CUCM8.6
  • SimpleSIP V4.3

In addition, the following strings are often found at the start of the User-Agent value, but may have long and varying character strings appended to them. They should therefore be checked using a sub-string match or regular expression:

  • Cisco-SIPGateway
  • AVAYA/SPICE/v
  • Z 3.14

If your VoIP system, firewall or SBC doesn’t allow you to block this type of probing request, then it is much more likely to be hit by high volumes of malicious SIP requests from hackers looking for a weakness or vulnerability so they can use dial-through fraud on your system. Consider using a Smartvox OpenSIPS proxy server to upgrade your security. Give me a call or send an email.

John

Clustering OpenSIPS using Pacemaker

At Smartvox, all of our biggest clients are VoIP Service Providers who need their SIP-based services to be resilient and robust – able to keep working despite some random hardware failure or accidental tripping over the lead in the server room.

Systems that have built-in resilience are often referred to as “highly-available” and they make particular use of clustering methodologies. In IT, a cluster is simply a group of inter-connected servers that behave like a single system to provide high availability or load sharing. Widely used in the world of Linux is the ClusterLabs stack comprising Pacemaker and Corosync. If you are interested in learning more about using Pacemaker with OpenSIPS then please have a read of this new article just published in the Smartvox Knowledgebase:

Using ClusterLabs Pacemaker with OpenSIPS

OpenSIPS Summit 2016

Smartvox owner, John Quick, is looking forward to presenting a paper at the 2016 OpenSIPS Summit in Amsterdam in May.

The theme of my paper will be security and how to avoid getting clobbered by International Revenue Share Fraud incidents. Hope to see you there.