Open SIP Relay scanner currently doing the rounds
Security professionals and system administrators are aware of the well known problems associated with "open mail relays". Spammers actively seek out these poorly configured email servers, and then take advantage by getting the relays to send out vast amounts of SPAM.
However, probably not many know that in the world of VOIP, a very similar concept exists.. Here, crooks scan for VOIP servers that are so poorly configured to accept and re-route (relay) incoming calls without carrying out proper checks on the source, blindly relaying these calls through either the victim's ISP, or through the PSTN (non VOIP) network. The concept is also similar to a "default route", in that if the VOIP server doesn't know the number being called, it will just re-route the call. The crooks then simply sell time/calls on this system on the underground market, and the victim picks up the bill at the next monthly billing cycle, whereupon the amount can be staggering. For example in 2009, a Perth business was left with a phone bill of $120,000 after 11,000 calls were made through their compromised VOIP system, read the story here.
In 2008, open SIP relay scanning activity was noted in Germany, and an excellent write up can be found here.
In the last 4 days, our Australian based SIP honeypot has detected this same activity. It seems that this group(s) are currently scanning Australian IP space in an attempt to find these open relays, to use at a later stage.
The following is an example of activity of a open relay scanner currently doing the rounds in the Australian IP space.
_____________________________________________________________
Source: 202.71.111.5:2452
Datetime: 2010-09-16 22:02:52.041018
Message:
INVITE sip:001133155xxxxxx@honeypot_ip_removed;transport=udp SIP/2.0
Via: SIP/2.0/UDP 202.71.111.5:2452;branch=1010110111000011111110101111011
202.71.111.5honeypot_ip_removed2107160275;rport
Max-Forwards: 70
From:
To:
Call-ID: 787774ee110111100110101010001000100011011010110111000011111110101111011
202.71.111.5honeypot_ip_removed2107160275149dc6a001133155xxxxxx33632504215-229557263363250421533632504215202.71.111.51027572984
CSeq: 1 INVITE
Contact:
Content-Type: application/sdp
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER,
REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: eyeBeam release 1003s stamp 31159
Content-Length: 212
v=0
o=- 16264 18299 IN IP4 honeypot_ip_removed
s=CounterPath eyeBeam 1.5
c=IN IP4 honeypot_ip_removed
t=0 0
m=audio 33478 RTP/AVP 18 0 8 101
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/80
_____________________________________________________________
Note the following:
- The scan came from 202.71.111.5, in Malaysia
- The user agent says "User-Agent: eyeBeam release 1003s stamp 31159", which is a popular soft phone, but this is faked in an attempt to appear legitimate.
- The Call-ID contains all sorts of encoded data, including the IP of the scanner and honeypot, phone number etc. This is not a properly formatted SIP field.
- The telephone number that the relay attack is trying to dial, is a number in France 001133155xxxxxx (obfuscated here). Note the 0011, which is to get an overseas trunk out of Australia, followed by France's Country Code of 33.
This is just another sign that the crooks are actively scanning for vulnerable VOIP servers, and Australia is certainly not escaping their attention. Now may be a good time to conduct a review and/or pentest VOIP systems.
@benreardon