Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable
‎03-01-2012 08:23 AM

SIP REGISTER Attack Messages

Jump to solution

Thanks for the reply Levi.

Speaking of the attack. I also noticed these in my logs and as far as I know this is not my numbers"676697360". Could you please explain why this would show up? I have huge entries like this from different numbers starting from 100 to 599 and few others.

06:12:33.118 SIP.STACK MSG     Rx: UDP src=182.140.145.17:5066 dst=xxx.xxx.xxx.94:5060

06:12:33.119 SIP.STACK MSG         REGISTER sip:676697360@xxx.xxx.xxx.94 SIP/2.0

06:12:33.119 SIP.STACK MSG         Via: SIP/2.0/UDP 127.0.0.1:5066;branch=z9hG4bK-2558032309;rport

06:12:33.119 SIP.STACK MSG         Content-Length: 0

06:12:33.119 SIP.STACK MSG         From: "676697360"<sip:676697360@xxx.xxx.xxx.94>; tag=3637363639373336300132303234333531383531

06:12:33.119 SIP.STACK MSG         Accept: application/sdp

06:12:33.119 SIP.STACK MSG         User-Agent: friendly-scanner

06:12:33.119 SIP.STACK MSG         To: "676697360"<sip:676697360@xxx.xxx.xxx.94>

06:12:33.120 SIP.STACK MSG         Contact: sip:676697360@xxx.xxx.xxx.94

06:12:33.120 SIP.STACK MSG         CSeq: 1 REGISTER

06:12:33.120 SIP.STACK MSG         Call-ID: 1206026468

06:12:33.120 SIP.STACK MSG         Max-Forwards: 70

06:12:33.120 SIP.STACK MSG   

06:12:33.123 SIP.STACK MSG     Tx: UDP src=xxx.xxx.xxx.94:5060 dst=182.140.145.17:5066

06:12:33.123 SIP.STACK MSG         SIP/2.0 501 Not Implemented

06:12:33.123 SIP.STACK MSG         From: "676697360"<sip:676697360@xxx.xxx.xxx.94>;tag=3637363639373336300132303234333531383531

06:12:33.123 SIP.STACK MSG         To: "676697360"<sip:676697360@xxx.xxx.xxx.94>;tag=3bc4628-0-13c4-4b6d0-34ae633c-4b6d0

06:12:33.123 SIP.STACK MSG         Call-ID: 1206026468

06:12:33.123 SIP.STACK MSG         CSeq: 1 REGISTER

06:12:33.123 SIP.STACK MSG         Via: SIP/2.0/UDP 127.0.0.1:5066;received=182.140.145.17;rport=5066;branch=z9hG4bK-2558032309

06:12:33.124 SIP.STACK MSG         Content-Length: 0

06:12:33.124 SIP.STACK MSG

Labels (2)
Labels
0 Kudos
Reply
1 Solution

Accepted Solutions
Anonymous
Not applicable
‎03-01-2012 08:44 AM

Re: SIP REGISTER Attack Messages

Jump to solution

I branched this question to a new topic.  If you are constantly receiving SIP REGISTER messages for phone numbers that are not assigned to you, you may be under a SIP attack.  One way to prevent this is the create an access-list (ACL) that allows SIP traffic from your SIP server only.  Then you will apply this ACL to the public facing policy-class.  For example, if your SIP server had the IP address of 1.1.1.1:

ip access-list extended SIP-SERVER

  permit udp host 1.1.1.1 any eq 5060

ip policy-class PUBLIC

  allow list SIP-SERVER self

This configuration will only allow uninitiated inbound SIP traffic from the specified SIP server's IP address.

I hope that makes sense, but please to not hesitate to reply to this post with additional questions.  I will be happy to help in any way I can.

Levi

View solution in original post

0 Kudos
Reply
3 Replies
Anonymous
Not applicable
‎03-01-2012 08:44 AM

Re: SIP REGISTER Attack Messages

Jump to solution

I branched this question to a new topic.  If you are constantly receiving SIP REGISTER messages for phone numbers that are not assigned to you, you may be under a SIP attack.  One way to prevent this is the create an access-list (ACL) that allows SIP traffic from your SIP server only.  Then you will apply this ACL to the public facing policy-class.  For example, if your SIP server had the IP address of 1.1.1.1:

ip access-list extended SIP-SERVER

  permit udp host 1.1.1.1 any eq 5060

ip policy-class PUBLIC

  allow list SIP-SERVER self

This configuration will only allow uninitiated inbound SIP traffic from the specified SIP server's IP address.

I hope that makes sense, but please to not hesitate to reply to this post with additional questions.  I will be happy to help in any way I can.

Levi

0 Kudos
Reply
Anonymous
Not applicable
‎03-02-2012 08:32 AM

Re: SIP REGISTER Attack Messages

Jump to solution

I marked this question as "assumed answered," but if you have any follow up questions related to this post, please do not hesitate to reply.  I will be happy to help in any way I can.

Levi

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎02-18-2013 01:19 PM

Re: SIP REGISTER Attack Messages

Jump to solution

Mcdeeiis,

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

David

0 Kudos
Accept as Solution Reply