[VOIPSEC] why are attackers so inefficient?

Sandro Gauci sandro at enablesecurity.com
Wed Mar 23 12:18:58 CDT 2011 

Hey Klaus,

Yes that's because the scanner is stateless. More information at:
(a) http://blog.sipvicious.org/2010/06/how-to-crash-sipvicious-introducing.html
(b) https://code.google.com/p/sipvicious/wiki/SvcrashFrequentlyAskedQuestions

This behavior was changed in later versions to be nicer to the scanned targets.

regards,

Sandro Gauci
Chief Consultant and Founder of EnableSecurity
Email: sandro at enablesecurity.com
Web: http://enablesecurity.com/
PGP: 514D B10C 8C3C 15BB 2EFD  49EC 7CCD 73C5 0295 F23B



On Wed, Mar 23, 2011 at 5:23 PM, Klaus Darilion
<klaus.mailinglists at pernau.at> wrote:
> I recently had this scan on my proxy:
>
> #
> U 2011/03/23 17:00:07.964580 60.191.221.70:5143 -> xx.yy.xx.yy:5060
> REGISTER sip:xx.yy.xx.yy SIP/2.0
> Via: SIP/2.0/UDP 127.0.0.1:5143;branch=z9hG4bK-1441214577;rport
> Content-Length: 0
> From: "5988" <sip:5988 at xx.yy.xx.yy>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "5988" <sip:5988 at xx.yy.xx.yy>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 4215708921
> Max-Forwards: 70
>
>
> #
> U 2011/03/23 17:00:07.964580 60.191.221.70:5143 -> xx.yy.xx.yy:5060
> REGISTER sip:xx.yy.xx.yy SIP/2.0
> Via: SIP/2.0/UDP 127.0.0.1:5143;branch=z9hG4bK-113964806;rport
> Content-Length: 0
> From: "5988" <sip:5988 at xx.yy.xx.yy>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "5988" <sip:5988 at xx.yy.xx.yy>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 3461115189
> Max-Forwards: 70
>
>
> #
> U 2011/03/23 17:00:07.972580 60.191.221.70:5143 -> xx.yy.xx.yy:5060
> REGISTER sip:xx.yy.xx.yy SIP/2.0
> Via: SIP/2.0/UDP 127.0.0.1:5143;branch=z9hG4bK-1816496172;rport
> Content-Length: 0
> From: "5988" <sip:5988 at xx.yy.xx.yy>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "5988" <sip:5988 at xx.yy.xx.yy>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 1573919667
> Max-Forwards: 70
>
>
> There where 200 requests per second, always the Fom/To, just the Callid
> differs. My proxy did not even respond to the requests. What's the use
> case of sending 200r/s with identical identity? Is this a bug in
> sipvicious or is the attacker just to stupid to use it correctly?
>
> regards
> Klaus
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list