SIP Attack: Friendly-Scanner

As a new VOIP startup, you may find your SIP server under attack one day.  These attacks can lead to tons of downtime and lost money. But panicking will not help! Instead, it’s important to understand the security aspects of VOIP so you can properly defend your servers from ruthless hackers and script kiddies.

This blog post discusses one of the most popular SIP attacks and how to arm yourself against it.

 

What is it?

Friendly-scanner (which isn’t really friendly at all) is a type of botnet. It scans IP ranges for SIP servers such as softswitches or PBXs, which communicate via the 5060 port. If it finds the port open, it attempts to brute force its way into your SIP server by testing sequential SIP account numbers with common usernames/passwords. The valid accounts are later used for fraudulent purposes, such as making free international calls.

This demo video shows you how a hacker executes a friendly-scanner attack.

 

So How Unfriendly is it?

A successful hack into your softswitch can quickly overload your network. Friendly-scanner can probe your network once every few hours or go into full-blown DoS mode, sending more than 80 SIP REGISTER requests per second. This can last for hours, days, or even weeks, wreaking havoc on your bandwidth use. If how much you pay is based on how much traffic you generate, you’ll be hit with a hefty bill.

 

Symptoms of an attack

Signs of a SIP server attack include problems registering/connecting your phones, extremely slow network connections, and a continual heavy use of bandwidth (which can be seen when reviewing your firewall logs).

 

Time of the attack

Friendly-scanner attacks often occur when the network is least likely to be monitored, such as nights or holidays. Hackers like to make things easier for themselves.

 

Blocking the attack

Blocking the Attacker’s IP Addresses

Firewall policies that deny all and only allow by exception are great in theory. In reality, many SIP clients don’t have static IPs. Because SIP clients often connect dynamically via cable modems and other IP-changing networks, locking down IP access usually isn’t feasible.

 

Port change

Because friendly-scanner finds its way into your network through port 5060, changing the port number to a different port would stop it right in its tracks. But that’s often easier said than done, and it may be hard to configure VoIP clients using non-standard ports.

 

Block by User-Agent

You can also block SIP messages for the User-Agent property associated with the exploit. You should permanently block the following properties:

sipcli
sipvicious
sip-scan
sipsak
sundayddr
friendly-scanner
iWar
CSipSimple
SIVuS
Gulp
sipv
smap
friendly-request
VaxIPUserAgent
VaxSIPUserAgent
siparmyknife
Test Agent

 

Block by REGISTER attempts

If you notice an IP unsuccessfully registering several times within a short time span, you can configure your protection to ban the IP temporarily or forever.

 

Tools for the job: Fail2Ban/iptables

We recommend using Fail2Ban with iptables on Linux servers to block the attackers. These tools are very convenient and easy to use.

Example Fail2Ban/iptables script which installs automatic protection on Centos/Red Had system can be found here. You can adjust it to your needs and it provides instant protection against most common types of attacks. Read more.
fail2ban-iptables script

 

How to stop the attack completely

As with any attack, the best place to stop a friendly-scanner attack is at the router. However, this isn’t always possible without blocking legitimate VoIP traffic. A better solution would be to block hackers upstream or at your firewall.

 

Ask Your Internet Provider

Another solution is to contact your ISP and ask them to block the offending IP; you can also try reporting the offending IP to its originating ISP. This is usually a waste of time because of ISPs‘ slow reaction times and unwillingness to cooperate.

 

Honeypot Context

You can also create a honeypot context that doesn‘t require registration to let hackers call into the fake network, thereby distracting them from your real network.

 

Send OK on Register

Some tools use automated scripts to stop attacks by tricking the scanner into thinking it’s made a successful register attempt. You can learn more about these scripts here and here.

 

Invalid Packet

In rare cases, you can crash the scanner and stop a packet flood by sending the scanner an invalid SIP response. You can find more information on this technique here.

 

Wrap-up

SIP attacks can be extremely frustrating and costly, but you don’t have to lay down and let hackers control your VOIP network. By educating yourself on the security aspects of VOIP and taking the actions described above, you can successfully defend your network.

Be safe, and contact us if you want more information on these techniques. Do you have another technique that works but that we missed? Leave us a comment and let us know.

 

6 Comments SIP Attack: Friendly-Scanner

  1. Imre Varasdy

    For attack like this it’s also can be a solution to log network traffic with trafflow (it logs src:port / dst:port / date, size, pps, etc) and periodically analyze this, and do action (like reject) based on analyzed data.

    Also, if it’s recommended to allow SIP (and maybe other) ports only to those IPs what’s needs to connect (like IP blocks of your country).

    Reply
    1. Kayyum

      Far,Nice find. I just built on Ubuntu if others want to, make sure you haiebvlssl-dev libidn11 zlib1g installed and then just make.

      Reply
  2. Dallas H

    Good write-up! I would also strongly recommend using Snort or similar IPS, which often times has default rules set to block by user-agent, number of failed registrations, etc. Nothing is perfect and every little bit counts!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *