Security professionals and system administrators are aware of the well known problems associated with "open mail relays". Spammers actively seek out these poorly configured email servers, and then take advantage by getting the relays to send out vast amounts of SPAM.
However, probably not many know that in the world of VOIP, a very similar concept exists.. Here, crooks scan for VOIP servers that are so poorly configured to accept and re-route (relay) incoming calls without carrying out proper checks on the source, blindly relaying these calls through either the victim's ISP, or through the PSTN (non VOIP) network. The concept is also similar to a "default route", in that if the VOIP server doesn't know the number being called, it will just re-route the call. The crooks then simply sell time/calls on this system on the underground market, and the victim picks up the bill at the next monthly billing cycle, whereupon the amount can be staggering. For example in 2009, a Perth business was left with a phone bill of $120,000 after 11,000 calls were made through their compromised VOIP system, read the story here.
In 2008, open SIP relay scanning activity was noted in Germany, and an excellent write up can be found here.
In the last 4 days, our Australian based SIP honeypot has detected this same activity. It seems that this group(s) are currently scanning Australian IP space in an attempt to find these open relays, to use at a later stage.
The following is an example of activity of a open relay scanner currently doing the rounds in the Australian IP space.
Datetime: 2010-09-16 22:02:52.041018
INVITE sip:001133155xxxxxx@honeypot_ip_removed;transport=udp SIP/2.0
Via: SIP/2.0/UDP 184.108.40.206:2452;branch=1010110111000011111110101111011
CSeq: 1 INVITE
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER,
REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: eyeBeam release 1003s stamp 31159
o=- 16264 18299 IN IP4 honeypot_ip_removed
s=CounterPath eyeBeam 1.5
c=IN IP4 honeypot_ip_removed
m=audio 33478 RTP/AVP 18 0 8 101
Note the following:
This is just another sign that the crooks are actively scanning for vulnerable VOIP servers, and Australia is certainly not escaping their attention. Now may be a good time to conduct a review and/or pentest VOIP systems.