3 Replies Latest reply on Feb 18, 2013 11:19 AM by david Branched from an earlier discussion.

    SIP REGISTER Attack Messages

    mcdeeiis New Member

      Thanks for the reply Levi.

       

      Speaking of the attack. I also noticed these in my logs and as far as I know this is not my numbers"676697360". Could you please explain why this would show up? I have huge entries like this from different numbers starting from 100 to 599 and few others.

       

      06:12:33.118 SIP.STACK MSG     Rx: UDP src=182.140.145.17:5066 dst=xxx.xxx.xxx.94:5060

      06:12:33.119 SIP.STACK MSG         REGISTER sip:676697360@xxx.xxx.xxx.94 SIP/2.0

      06:12:33.119 SIP.STACK MSG         Via: SIP/2.0/UDP 127.0.0.1:5066;branch=z9hG4bK-2558032309;rport

      06:12:33.119 SIP.STACK MSG         Content-Length: 0

      06:12:33.119 SIP.STACK MSG         From: "676697360"<sip:676697360@xxx.xxx.xxx.94>; tag=3637363639373336300132303234333531383531

      06:12:33.119 SIP.STACK MSG         Accept: application/sdp

      06:12:33.119 SIP.STACK MSG         User-Agent: friendly-scanner

      06:12:33.119 SIP.STACK MSG         To: "676697360"<sip:676697360@xxx.xxx.xxx.94>

      06:12:33.120 SIP.STACK MSG         Contact: sip:676697360@xxx.xxx.xxx.94

      06:12:33.120 SIP.STACK MSG         CSeq: 1 REGISTER

      06:12:33.120 SIP.STACK MSG         Call-ID: 1206026468

      06:12:33.120 SIP.STACK MSG         Max-Forwards: 70

      06:12:33.120 SIP.STACK MSG   

      06:12:33.123 SIP.STACK MSG     Tx: UDP src=xxx.xxx.xxx.94:5060 dst=182.140.145.17:5066

      06:12:33.123 SIP.STACK MSG         SIP/2.0 501 Not Implemented

      06:12:33.123 SIP.STACK MSG         From: "676697360"<sip:676697360@xxx.xxx.xxx.94>;tag=3637363639373336300132303234333531383531

      06:12:33.123 SIP.STACK MSG         To: "676697360"<sip:676697360@xxx.xxx.xxx.94>;tag=3bc4628-0-13c4-4b6d0-34ae633c-4b6d0

      06:12:33.123 SIP.STACK MSG         Call-ID: 1206026468

      06:12:33.123 SIP.STACK MSG         CSeq: 1 REGISTER

      06:12:33.123 SIP.STACK MSG         Via: SIP/2.0/UDP 127.0.0.1:5066;received=182.140.145.17;rport=5066;branch=z9hG4bK-2558032309

      06:12:33.124 SIP.STACK MSG         Content-Length: 0

      06:12:33.124 SIP.STACK MSG

        • Re: SIP REGISTER Attack Messages
          levi Employee

          I branched this question to a new topic.  If you are constantly receiving SIP REGISTER messages for phone numbers that are not assigned to you, you may be under a SIP attack.  One way to prevent this is the create an access-list (ACL) that allows SIP traffic from your SIP server only.  Then you will apply this ACL to the public facing policy-class.  For example, if your SIP server had the IP address of 1.1.1.1:

           

          ip access-list extended SIP-SERVER

            permit udp host 1.1.1.1 any eq 5060

           

          ip policy-class PUBLIC

            allow list SIP-SERVER self

           

          This configuration will only allow uninitiated inbound SIP traffic from the specified SIP server's IP address.

           

          I hope that makes sense, but please to not hesitate to reply to this post with additional questions.  I will be happy to help in any way I can.

           

          Levi

          • Re: SIP REGISTER Attack Messages
            levi Employee

            I marked this question as "assumed answered," but if you have any follow up questions related to this post, please do not hesitate to reply.  I will be happy to help in any way I can.

             

            Levi

            • Re: SIP REGISTER Attack Messages
              david Employee

              Mcdeeiis,

               

              I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

               

              Thanks,

              David