Get access to free VOIP training. Sign up below.

SIP Register/DOS Attacks

Since implementing new monitoring tools I’ve noticed a lot of failed REGISTER events on our network.  Our SBC would issue a 4XX back to the originating UA, however the attempts continue. At one point I saw 200 register messages per second from a single IP.

I started to look a bit deeper into the REGISTER packet and found that the User-Agent is always “friendly-scanner”.

REGISTER sip:x.x.x.x SIP/2.0
Via: SIP/2.0/UDP;branch=z9hG4bK-226458594;rport
Content-Length: 0
From: "100" 
Accept: application/sdp
User-Agent: friendly-scanner
To: "100"  
Contact: sip:123@
Call-ID: 3348663663
Max-Forwards: 70

After a quick search I found that this is related to a script called SipVicious.

The author of SipVicious has included a tool called to shutdown the script on the attacking server.  This is the easiest route to shut down an attacker on a manual basis (You must assume that the attacker has not modified the python script, otherwise the below data is void).

Run on the server being attacked with the “-d” option set.

keith@lab1:~/Documents/sipvicious> ./ -d
Attacking back

Once the above is executed, the attacker should see the following on their server.

kcroxford@attacker:~/Desktop/sipvicious$ ./  -u10000
CRITICAL:root:Unhandled exception - please run same command with the -R option to send me an automated report
Traceback (most recent call last):
File "./", line 460, in
File "./", line 229, in start
File "./", line 175, in getResponse
crackeduser,crackedpasswd = _tmp
ValueError: need more than 1 value to unpack
WARNING:root:found nothing

If you have an Acme Packet SBC  you can request a copy of BCP 520-0052-00 from their Support Engineers. This is the Acme Packet Best Current Practices  on how to handle SIPVicious traffic. I believe that there is another way to handle this (which will exploit the weakness in with a Header Manipulation Rule.  If I can confirm this as an option, I will update this blog entry.

If you are running an OpenSips proxy I found that Advantia Voip Systems has a write up on dropping traffic with  “friendly-scanner” within the User-Agent header.

All other SBCs :

This is the packet that generates :

SIP/2.0 200 OK
Via: SIP/2.0/UDP;branch=z9hG4bK-573841574;rport

Content-length: 0
From: "100"; tag=676f6f643a6279653a61747461636b65723a
User-agent: Telkom Box 2.4
To: "100"
Call-id: 469585712
Max-forwards: 70

If your SBC can automatically generate a similar response to the attacker, you should be able to stop the attack.

4 thoughts on “SIP Register/DOS Attacks

  1. Nice post – You can also use Acme’s Plug-in called : sipshield .With the plug-in installed , the sbc will just drop the message .

Comments are closed.