Wednesday, September 22, 2010

SIPVicious : Auditing And Protecting Yourself From SIP Registration Attacks.

SIPVisious is a tool developed to audit your SIP based VoIP IP Telephony system. Basically it is four tools that runs on any system capable of supporting python
  • svmap - this is a sip scanner. Lists SIP devices found on an IP range
  • svwar - identifies active extensions on a PBX
  • svcrack - an online password cracker for SIP PBX
  • svreport - manages sessions and exports reports to various formats
  • svcrash - attempts to stop unauthorized svwar and svcrash scans 
While it is an excellent tool, there are many who misuse it as well, usually this is the tool used in SIP Registration Attacks. These are attempts to steal your SIP Services or basically minutes. Initially the tool bombarded IP PBXes with registration requests, it amounted to a DOS attack. So two rivaling small town SIP service providers could bombard each other everyday and forget about selling services.But mostly there are people who are looking to steal services than launching DOS attacks against a SIP Network. So the so called "friendly Scanner : SIPVisious" users are smart to tune the tool to such levels that you would not know they are attacking. There are some ways you can prevent or slow down these attempts of breaking in;
  1. SIP Endpoint registration, always use SIP authentication! and encourage / force users to use proper passwords.
  2. If you have a Session Border Controller (SBC), you can blacklist devices after they fail a few REGISTER attempts.
  3. If you’re using non-registering SIP (such as SIP peering for SIP Trunking), limit access by SIP signaling IP addresses using firewall rules / or ACLs to block all connections except from the your peers.
  4. Find methods to spot SIP devices sending abnormal traffic loads, and alarm your staff and/or block them for a certain period. 
Also, let your staff, at least the technical people to get their hands on SIPVisious and learn how it works. SIPVisious has instructions for running the attacks against a Trixbox VMware image.
SIPVisious via ecg


    Blog Widget by LinkWithin