[VOIPSEC] why are attackers so inefficient?
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Mar 23 11:23:27 CDT 2011
I recently had this scan on my proxy:
#
U 2011/03/23 17:00:07.964580 60.191.221.70:5143 -> xx.yy.xx.yy:5060
REGISTER sip:xx.yy.xx.yy SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5143;branch=z9hG4bK-1441214577;rport
Content-Length: 0
From: "5988" <sip:5988 at xx.yy.xx.yy>
Accept: application/sdp
User-Agent: friendly-scanner
To: "5988" <sip:5988 at xx.yy.xx.yy>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 4215708921
Max-Forwards: 70
#
U 2011/03/23 17:00:07.964580 60.191.221.70:5143 -> xx.yy.xx.yy:5060
REGISTER sip:xx.yy.xx.yy SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5143;branch=z9hG4bK-113964806;rport
Content-Length: 0
From: "5988" <sip:5988 at xx.yy.xx.yy>
Accept: application/sdp
User-Agent: friendly-scanner
To: "5988" <sip:5988 at xx.yy.xx.yy>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 3461115189
Max-Forwards: 70
#
U 2011/03/23 17:00:07.972580 60.191.221.70:5143 -> xx.yy.xx.yy:5060
REGISTER sip:xx.yy.xx.yy SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5143;branch=z9hG4bK-1816496172;rport
Content-Length: 0
From: "5988" <sip:5988 at xx.yy.xx.yy>
Accept: application/sdp
User-Agent: friendly-scanner
To: "5988" <sip:5988 at xx.yy.xx.yy>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 1573919667
Max-Forwards: 70
There where 200 requests per second, always the Fom/To, just the Callid
differs. My proxy did not even respond to the requests. What's the use
case of sending 200r/s with identical identity? Is this a bug in
sipvicious or is the attacker just to stupid to use it correctly?
regards
Klaus
More information about the Voipsec
mailing list