[VOIPSEC] Analysis of a VoIP Attack
peter at um-labs.com
Thu Oct 23 14:38:19 BST 2008
This is a great analysis.
I have seen the same style of INVITE on a number of our SIP gateways and on
some customer systems. Most of the attacks of this style had the same
source IP as your example, which is registered to an ISP in Bulgaria. I
have also seen OPTIONS probes as well as INVITEs that actually target valid
PSTN numbers. One of the more targeted INVITE attacks was smart enough to
figure out which country the system was in and to use valid numbers and
prefixes for that country, although not smart enough to make some fairly
simple adjustments to that attack that might increase its chances of
The OPTIONS probes are interesting, because these can identify SIP targets
for an INVITE attack.
I think the countermeasures you list are good, but I tend to go one step
further when restricting incoming calls. The restrictions apply to any
destination not just the PSTN. The approach I take in our SIP Gateway is to
allow unauthenticated callers to call only URIs within the local domain, so
there no access to the PSTN and no ability to call other domains. In many
ways this is analogous to the email open relay problem. Just as a well
configured email server will accept email for the local domain only, unless
there is some additional authentication, then a well configured SIP system
should operate in the same way.
In addition, rate limits can be applied to incoming calls (by IP, domain
etc) so any attempt to flood local users is controlled.
CEO UM Labs Ltd
Phone: +44 20 3021 3202
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of Klaus Darilion
Sent: 23 October 2008 13:06
Subject: [VOIPSEC] Analysis of a VoIP Attack
Recently, several IT news websites reported VoIP attacks against home
users containing lots of myths and incorrect statements. Unfortunately,
they also give wrong security advices.
Thus, I decided to write an article about this attack and give some
advices for protection. Maybe you find it interesting too - at least I
Voipsec mailing list
Voipsec at voipsa.org
More information about the Voipsec