SIP Attack! Home VoIP ATA Got DoS'ed

Bought an ATA from Cormain back in January. It's ugly, but it works. Connected to our new Billion 7800N ADSL2+ router and makes calls via PennyTel. No problem what so ever until a week ago. Suddenly VoIP stopped working. I am also unable to connect to ATA's web admin interface to figure out what might be wrong. I thought the ATA is dead. Nasty cheap product! I thought maybe I bought a lemon and now need to file a warranty claim.

Interestingly though, that when I disconnect the ATA from WAN interface, I could connect to its admin interface via the LAN port. However right after I connect LAN port to my ADSL hub, any request to admin interface would timeout. That's weird, so I turned on syslog to log the system message to my external syslogd, and then connect the LAN port. Wow -- heaps of log messages. Here is a snippet:

Mar  3 22:26:24 CDUaUdpStack::OnReceiveFrom(803fa460, 334)
Mar  3 22:26:24 from:50.22.171.5, port:5112, len=334, REGISTER sip:xx.xx.xx.xx SIP/2.0^M Via: SIP/2.0/UDP 50.22.171.5:5112;branch=z9hG4bK-1614305573;rport^M Content-Length: 0^M From: "152" ^M Accept: application/sdp^M User-Agent: friendly-scanner^M To: "152" ^M Contact: sip:123@1.1.1.1^M CSeq: 1 REGISTER^M Call-ID: 2269038874^M Max-Forwards: 70^M ^M
...
Mar  3 22:26:24 CUserAgent::SendTo(806f9750, 234, 5112, 50.22.171.5, 0, encryptType=0, udp, 0)
Mar  3 22:26:24 to:50.22.171.5, port:5112, len=234, SIP/2.0 403 Forbidden^M Via: SIP/2.0/UDP 50.22.171.5:5112;branch=z9hG4bK-1079254239;rport^M From: "152" ^M To: "152" ;tag=2cfa115b^M Call-ID: 807709011^M CSeq: 1 REGISTER^M Content-Length: 0^M ^M

Repeat the above for around 15 times per second! What appears to be happening is -- this host 50.22.171.5 has been sending me SIP registration message at the rate of 15 times per second, and my VoIP ATA is merely replying back with 403 forbidden message at the same rate. My ATA is pretty much DoS'ed -- I am denied of my VoIP service, because it has been too busy servicing bogus requests!

So once I firewall'ed the requests (dropping all packets from that IP), my VoIP ATA got back its sanity again. Hooray!

However, the "attack" did not stop. Large number of requests are still hitting my ADSL router every second. It is also chewing up quite a bit of bandwidth that counts towards my ADSL monthly quota. Here is an MRTG graph.

VoIP DOS'ed

Not a lot of things I can do.

  • I have sent an email to Softlayer's abuse department (that IP address belongs to Softlayer). Did that a few days ago and still waiting for the reply.
  • I could request a new IP address from Exetel to switch to. A lot of hassle especially with some IP-based authentication.

will update once there's a solution. This kind of SIP-based DoS attack seems to get very frequent now -- what are they trying to achieve?!