Since implementing new monitoring tools I’ve noticed a lot of failed REGISTER events on our network. Our SBC would issue a 4XX back to the originating UA, however the attempts continue. At one point I saw 200 register messages per second from a single IP.
I started to look a bit deeper into the REGISTER packet and found that the User-Agent is always “friendly-scanner”.
REGISTER sip:x.x.x.x SIP/2.0 Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK-226458594;rport Content-Length: 0 From: "100" Accept: application/sdp User-Agent: friendly-scanner To: "100" Contact: sip:123@1.1.1.1 CSeq: 1 REGISTER Call-ID: 3348663663 Max-Forwards: 70
After a quick search I found that this is related to a script called SipVicious.
The author of SipVicious has included a tool called svcrash.py to shutdown the script on the attacking server. This is the easiest route to shut down an attacker on a manual basis (You must assume that the attacker has not modified the python script, otherwise the below data is void).
Run svcrash.py on the server being attacked with the “-d” option set.
keith@lab1:~/Documents/sipvicious> ./svcrash.py -d 192.168.34.134 Attacking back 192.168.34.134:5060
Once the above is executed, the attacker should see the following on their server.
kcroxford@attacker:~/Desktop/sipvicious$ ./svcrack.py -u10000 192.168.34.139 CRITICAL:root:Unhandled exception - please run same command with the -R option to send me an automated report ERROR:root:Exception Traceback (most recent call last): File "./svcrack.py", line 460, in sipvicious.start() File "./svcrack.py", line 229, in start self.getResponse() File "./svcrack.py", line 175, in getResponse crackeduser,crackedpasswd = _tmp ValueError: need more than 1 value to unpack WARNING:root:found nothing
If you have an Acme Packet SBC you can request a copy of BCP 520-0052-00 from their Support Engineers. This is the Acme Packet Best Current Practices on how to handle SIPVicious traffic. I believe that there is another way to handle this (which will exploit the weakness in svcrash.py) with a Header Manipulation Rule. If I can confirm this as an option, I will update this blog entry.
If you are running an OpenSips proxy I found that Advantia Voip Systems has a write up on dropping traffic with “friendly-scanner” within the User-Agent header.
All other SBCs :
This is the packet that svcrash.py generates :
SIP/2.0 200 OK Via: SIP/2.0/UDP 8.7.6.5:5061;branch=z9hG4bK-573841574;rport Content-length: 0 From: "100"; tag=676f6f643a6279653a61747461636b65723a User-agent: Telkom Box 2.4 To: "100" Cseq: 1 REGISTER Call-id: 469585712 Max-forwards: 70
If your SBC can automatically generate a similar response to the attacker, you should be able to stop the attack.
Hi, What monitoring tools are you using to monitor the registration requests?
Thank you,
Badr
Palladion from Acme Packet. If you want something free you can use Homer SIP Capture.
Nice post – You can also use Acme’s Plug-in called : sipshield .With the plug-in installed , the sbc will just drop the message .
Yes, sipshield works great, as long as the SBC supports SCX6.3 or higher (3800 / 4500 series)