[VOIPSEC] Mass scan in search of Open SIP devices for Telephone fraud?
Hendrik Scholz
hs at 123.org
Tue Dec 23 06:17:09 CST 2008
Hi!
Fabio Pietrosanti (naif) wrote:
> does anyone has informations on telephone fraud conducted by mass
> scanning internet ip addresses space?
What kind of information are you looking for?
I believe most ISPs won't disclose this in full without being asked
specific questions.
> I got several SIP mass scan on my networks and i expect them being part
> of some wider mass scan.
Do you have a fingerprint (User-Agent, order of headers, specific broken
things)? What kind of IP ranges have been scanned? Are they used
for end customers or core/business infrastructure?
In the last week I've seen an increase in scanning traffic.
I have yet to analyse the the messages for hidden hashes/hex IPs/...
before publishing them but a few notes:
- mostly OPTIONS requests
- huge scan using sipvicious
From: "sipvicious"<sip:100 at 1.1.1.1>; tag=<lots of digits>
- OPTIONS scan with broken branch tag
- OPTIONS scan with broken contact, i.e.
Contact: <sip:@0.0.0.0:40197;transport=udp>
or some time before that even this:
Contact: <sip:@0:0:0:0:0:0:0:0:40197;transport=udp>
> The question is: why they are doing mass SIP scan?
Why not? As for IP ranges dynamically assigned to end customers
the gap between the OPTIONS scan and the real attack might be just
too long to yield good results. Why send an OPTIONS if you could
just send the malicous message instead?
> How they conduct the fraud?
Do you see clear fraud attempts?
> There are any case regarding this?
Explain what you mean by 'this'. What exactly are you seeing?
> How concrete is the risk of
> having open sip devices in the internet?
Nobody (and nobody's implementation) is perfect. So having
anything on the open internet can be considered bad unless
you want free open communication.
Just my $.02,
Hendrik
--
Hendrik Scholz <hs at 123.org>
More information about the Voipsec
mailing list