Mar 6 2011

SIP Attack! Home VoIP ATA Got DoS’ed

Bought an ATA from Cormain back in January. It’s ugly, but it works. Connected to our new Billion 7800N ADSL2+ router and makes calls via PennyTel. No problem what so ever until a week ago. Suddenly VoIP stopped working. I am also unable to connect to ATA’s web admin interface to figure out what might be wrong. I thought the ATA is dead. Nasty cheap product! I thought maybe I bought a lemon and now need to file a warranty claim.

Interestingly though, that when I disconnect the ATA from WAN interface, I could connect to its admin interface via the LAN port. However right after I connect LAN port to my ADSL hub, any request to admin interface would timeout. That’s weird, so I turned on syslog to log the system message to my external syslogd, and then connect the LAN port. Wow — heaps of log messages. Here is a snippet:

Mar  3 22:26:24 CDUaUdpStack::OnReceiveFrom(803fa460, 334)
Mar  3 22:26:24 from:50.22.171.5, port:5112, len=334, REGISTER sip:xx.xx.xx.xx SIP/2.0^M Via: SIP/2.0/UDP 50.22.171.5:5112;branch=z9hG4bK-1614305573;rport^M Content-Length: 0^M From: "152" ^M Accept: application/sdp^M User-Agent: friendly-scanner^M To: "152" ^M Contact: sip:123@1.1.1.1^M CSeq: 1 REGISTER^M Call-ID: 2269038874^M Max-Forwards: 70^M ^M
...
Mar  3 22:26:24 CUserAgent::SendTo(806f9750, 234, 5112, 50.22.171.5, 0, encryptType=0, udp, 0)
Mar  3 22:26:24 to:50.22.171.5, port:5112, len=234, SIP/2.0 403 Forbidden^M Via: SIP/2.0/UDP 50.22.171.5:5112;branch=z9hG4bK-1079254239;rport^M From: "152" ^M To: "152" ;tag=2cfa115b^M Call-ID: 807709011^M CSeq: 1 REGISTER^M Content-Length: 0^M ^M

Repeat the above for around 15 times per second! What appears to be happening is — this host 50.22.171.5 has been sending me SIP registration message at the rate of 15 times per second, and my VoIP ATA is merely replying back with 403 forbidden message at the same rate. My ATA is pretty much DoS’ed — I am denied of my VoIP service, because it has been too busy servicing bogus requests!

So once I firewall’ed the requests (dropping all packets from that IP), my VoIP ATA got back its sanity again. Hooray!

However, the “attack” did not stop. Large number of requests are still hitting my ADSL router every second. It is also chewing up quite a bit of bandwidth that counts towards my ADSL monthly quota. Here is an MRTG graph.

VoIP DOS'ed

Not a lot of things I can do.

  • I have sent an email to Softlayer’s abuse department (that IP address belongs to Softlayer). Did that a few days ago and still waiting for the reply.
  • I could request a new IP address from Exetel to switch to. A lot of hassle especially with some IP-based authentication.

will update once there’s a solution. This kind of SIP-based DoS attack seems to get very frequent now — what are they trying to achieve?!

4 Comments

  1. JS on 7 Mar 2011 at 12:07 pm #

    They’re probably trying to crack the password to your VoIP, so they can make free phone calls around the world. How long will it take at 15TPS?

  2. scotty on 7 Mar 2011 at 12:19 pm #

    Yes I think it is the case. From what I have read the “friendly-scanner” attacks are mostly those scams/hacks trying to get free phone calls. The SIP port does get probed every now and then, but I suspect that there’s a bug with the brute force script which keeps it running non-stop. I am already dropping all the packets (as you can see from the mrtg graph the outbound drops off as I no longer sends back 403). However the “attack” continues.

    If someone is “just” trying to crack password, I don’t see why they continue to flood the requests in when they have been firewall’ed (for multiple days already). Either their malicious intend is for something else, or they are unaware of their supposedly stealth-cracker is now DoS someone else’s ATA…

  3. Pingback: SIP Attack! | Joseph Scott

  4. dfsmith on 4 Jun 2011 at 5:01 pm #

    This happened to me today. It’s amusing because

    1) my internal PBX is not connected to the PSTN, so they’re not going to get anything.

    2) they have somehow got a valid internal ATA extension number—but the ATA is at a fixed IP address so my log is filling with “wrong IP address” messages.

    The attacking IP traces to China and they’re showing a CallerID that appears as a random 10-digit number.

    So I’m concerned they found an extension. Perhaps related to some dubious SIP programs I downloaded to my iPhone…. I’ll try setting some unique extensions to see if it’s any particular one. B-)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>