VOIP phoneynet : PART 2 "OBSERVATIONS OF THE VOIP PILOT THUS FAR"
In part 2 of our VOIP phoneynet blog series, we look at some very high level details of the results we've seen to date.
As quick background, we decided to deploy VOIP honeypots for 2 reasons:
The Internet location of the VOIP phoneypot is an important facet of the whole idea behind the Phoneynet. We use IP addresses that are not advertised anywhere as having providing VOIP services, so we can say that any attempt to probe this IP is an opportunistic 'discovery/reconnaissance' phase, as there is no other reason to try to connect to VOIP on the IP of the phoneypot! The initial probe would potentially lead to further nefarious activity (if indeed our honeypot was a real VOIP server). With regard to what the bad guys may use a compromised VOIP service for - we will cover some of this in Part 3 of this blog series.
After the initial setup was complete in March 2009, we waited a few weeks for the first interesting scan. Since then, we probably get only about one scan scan every few weeks. This amount of activity surprised me, as I'm used to looking at our sensornet activity, which sees multiple attacks per day. I really think VOIP scanning/hacking is in it's very early days, and as an underground market for compromised VOIP servers develops - we should expect to see more of these scans
Here is a map of the IP's that scanned the honeypot.
(click to enlarge)
Yes, that is Nairobi in Kenya.
The very first scan was interesting, and worthwhile highlighting. Logs are shown below.
----------------------------------------------2009-04-05 02:16:21
UDP message received [413] bytes :
OPTIONS sip:100@x.x.x.x(honeypot_IP_removed by ben) SIP/2.0
Via: SIP/2.0/UDP x.x.x.x(scanner_IP_removed by ben):5064;branch=z9hG4bK-371673121;rport
Content-Length: 0
From: "sipvicious"
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"
Contact: sip:100@x.x.x.x(scanner_IP_removed by ben):5064
CSeq: 1 OPTIONS
Call-ID: 789722681006804995164495
Max-Forwards: 70
-----------------------------------------------
Unexpected UDP message received:
OPTIONS sip:100@x.x.x.x(honeypot_IP_removed by ben) SIP/2.0
Via: SIP/2.0/UDP x.x.x.x(scanner_IP_removed by ben) :5064;branch=z9hG4bK-371673121;rport
Content-Length: 0
From: "sipvicious"
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"
Contact: sip:100@x.x.x.x(scanner_IP_removed by ben):5064
CSeq: 1 OPTIONS
Call-ID: 789722681006804995164495
Max-Forwards: 70
----------------------------------------------
The first thing that struck me was 'sipvicious'?? Oh I see, its a cute reference to the SIP protocol and the famous Sex Pistols member, Sid Vicious (read more about Sid here)
This led me to visit Sandro Gauci's website http://sipvicious.org. Sandro is a whitehat VOIP security provider. Security professionals would be familiar with 'must have' security audit tools such as 'nmap' and 'nessus' and many others. These tools are used by the both the good guys and the bad guys. Good guys use them to conduct 'penetration testing' of Internet systems in an effort to discover problems and fix them up. Bad guys can also use these same tools to discover these weaknesses before they are fixed up.
'Sipvicious' is basically a VOIP security auditing tool, offered by Sandro (a white hat) so that the good guys can learn more about their vulnerabilities and fix them before they are used by the bad guys, note the 'User-Agent: friendly-scanner' in the logs above, this is the default action of Sipvicious.
Now, I have no idea as to the motivation of the persons who pointed sipvicious at our honeypots. But I believe that they are opportunistic scans by a miscreant, so that they may be examined further to determine for vulnerabilities.
In summary, the takeway points from this blog are:
- VOIP scanning in Australia does exist.
- Tools and techniques used by the white hat community are also used by the miscreant.
Next up in this Blog series:
VOIP phoneynet : PART 3 "WHAT WOULD CROOKS DO WITH A COMPROMISED VOIP GATEWAY ANYWAY?"