Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: SIP Attacks on internet connected port5060 targeting Asterix servers - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SIP Attacks on internet connected port5060 targeting Asterix servers

 We have had a few reports on IP addresses in certain parts of the world sending INVITE requests to Asterix servers and attempting to make calls.  Looking at the port 5060 data there does seem to be an uptick in targets. 


If you have some packet captures of this or logs. I'd be interested to take a look at them. 




392 Posts
ISC Handler
Apr 15th 2010
A typical event a couple of times a month.
It takes Amazon a couple of days to shut it down.

Port 5060 scan across x.x.x/24
and the 600kbps of SIP REGISTER attempts 300 IN PTR

Mar 25 08:43:41,5060 -> x.x.x.0,5060 PR udp len 20 440 IN
Mar 25 08:43:41,5060 -> x.x.x.1,5060 PR udp len 20 436 IN
... skip 306 lines ...
Mar 25 08:43:42,5060 -> x.x.x.209,5060 PR udp len 20 441 IN

10:57:59.15649 -> x.x.x.x UDP D=5060 S=5069 LEN=347

REGISTER sip:x.x.x.x SIP/2.0..
Via: SIP/2.0/UDP;branch=z9hG4bK-3594771221;rport..
Content-Length: 0..
From: "2999" <sip:2999@x.x.x.x>..
Accept: application/sdp..
To: "2999" <sip:2999@x.x.x.x>..
Call-ID: 1039083047..
Max-Forwards: 70....

Sign Up for Free or Log In to start participating in the conversation!