March 31, 2022

1082 words 6 mins read

Open Relay Abuse

Open Relay Abuse

The story

I really didn’t give much attention to the ‘Country analysis’ world heatmap tab on the SIP honeypot data web interface till I one day noticed that every hour there were over 100 unique IP addresses from the US attacking my honeypots.

Checking the database I noticed a pattern in the format of the stored headers in the database. Next I checked the source IPs of the suspicious traffic in Shodan.io and noticed that although the traffic was coming from different sources, judging from the SIP User-Agent header, two brands of SBCs that were sending it. About 90% were Ingate SBCs and the remaining 10% were IceWarp. It was obvious that it was some kind of distributed attack, but why these brands? I personally had never heard of them so I contacted someone who I thought might possibly have first hand information from penetration testing VOIP systems … Sandro Gauci of Enable Security.

Last year when I started this honeypot project of mine, I started out seeking answers to specific questions I had, so I structured the database to gather enough data to answer those questions. To fully answer what was happening in this case, I was lacking the data in the backend database. Sandro had not worked with these devices either but we had our suspicions. The only way however to confirm was of course to take raw pcaps from the honeypots… Ansible to the rescue. Within minutes I had pcaps from all the boxes and … Yes, we were correct. All these servers were open relays and SIP traffic was being proxied through them!!

Sandro advised I do the right thing and contact Ingate and inform them of the situation because at this point there were over 1000 devices proxying traffic. He offered to help and was able to get in contact with the CEO. Their response was that their customers had misconfigured the devices so it was not their problem. Fair enough, but why were so many of them relaying the traffic? In my experience if it is not a bug on the device, then the default configuration might have wrong options set. To confirm, I would need access to one of these devices.

Open relay

Every proxy technically relays traffic. SBCs as well, they accept traffic on one end, generate a new call and send it out the other end. The issue arises then the devices are ‘open’ to relay any traffic that comes their way. That is, they do not have any limitation on the type of source traffic they are accepting nor on the destination they are sending the traffic to, nor if they need to be handling that traffic in the first place. This makes them an open relay. All an attacker needs to do is to relay their malicious traffic through such server and to the attacked end device the traffic would appear to be originating from the open relay server.

Open relay

In principle, identifying this type of traffic is easy, but you need to know what to look for 😉. There are multiple indicators that when analysed together in context of the call flow, point to the issue. The most important thing is to know your traffic so that such oddities stick out when you see them.

  1. The URI in the request. Do you own the domain? Should you be handling such a domain?
  2. The Via headers. For a proxied SIP request, the number of Via headers would give an indication of the number of hops the SIP request has taken. Based on your network, is the count correct?
  3. The Contact header. It indicates where final responses will be sent. Do you know the URI?
  4. The source IP address of the request. Should it match any of the previously mentioned SIP headers? Is it ??

Traffic from the example diagram above would look something like

SIP Request

The Kamailio default config blocks this kind of traffic and I know some people who have been tempted to remove that bit of code as a shortcut to allow some type of traffic flow without fully understanding the consequence. Understanding it goes a long way. If you are not sure how to control such traffic on your SIP edge device, let me try and explain the idea with the help of code from Kamailio.

	if(from_uri!=myself && uri!=myself) {
		sl_send_reply("403","Not relaying");
		exit;
	}

The idea is simple, if the subscriber/caller is not a local subscriber to your server and the destination they are sending the request to is not a destination/domain your server manages or is aware of, well then such traffic does not have any business on your device… Unless of course you are in the open relay business. In the Kamailio snippet above, such a call would be rejected with a SIP 403 response code.

The traffic

Back to the story…. With the pcaps taken from the honeypots, I was able to trace the traffic back to the original attacker. The IP address was of course registered to a VPN service provider. The service provider this time was in Afghanistan. They were offering a 1 month free trial so it was not a surprise that after a month of monitoring this traffic, it ended. The traffic was not aggressive but dare I say, nicely crafted. The attacker was scanning the extension range 100 - 1000 daily. Proxying the traffic across about a 100 different IP addresses every hour. Sending one request per extension but spreading the attack over multiple honeypots. To see the nice ‘pattern’, data from all honeypots had to be queried and sorted. Dare I say I admired the effort put into this attack. It looked like the attacker was not interested in actually registering any extension but more like they were perfecting their tools. It was really interesting to observe.

The day I noticed the traffic I ‘upgraded’ my honeypots to send more data. Ever since that attack ended, there have been very few similar attacks.

Test your SBC

To help with awareness around this issue, I have started running a free service where you can test your SIP server against relaying SIP OPTIONS, INVITE and REGISTER requests. To test, head over to kwanlabs.com and select the ‘SIP open relay test’ tab. You will need to provide the public IP address of the SIP server to test and the UDP port it is accepting traffic on. TCP is not supported as of now.

I hope you find the service useful.

kamailio fraud sip honeypot
Hide From Shodan

Hide From Shodan

October 14, 2021

If you are planning on exposing your private VoIP server to the public internet but are concerned about hacks and attacks, I might have one trick to help keep you hidden. When looking for a website to answer your questions, most people turn to Google. On the other hand, when looking for applications, IPs or network ports exposed on the internet, Shodan.io is usually the first stop. Shodan offers a service, dare I say, like Google, that scans the internet.
Understanding VoIP Hackers

Understanding VoIP Hackers

September 1, 2021

Ever since I realized how easy it was to detect potential VoIP fraudsters using the SIP User Agent header , I got more and more interested in finding out how to detect them and more importantly figuring out their thought process. I believe that there is a lot you can learn from looking at the smart techniques fraudsters are using rather than just assuming what they are up to. How best to learn, apart from looking through your logs after you have been hacked, than to create a honeypot, gather data and learn from it.
Kamailio Dispatcher Module Hidden Gem

Kamailio Dispatcher Module Hidden Gem

March 4, 2021

Majority of Kamailio deployments involve using it as the core routing engine. Efficient call routing is one of its major tasks in such designs and this is where the dispatcher module really shines, making it one of the most popular modules. If you need to efficiently route or distribute huge amounts of traffic across multiple gateways, you need to have a look at the dispatcher module. Dispatching algorithms The module offers multiple routing algorithms to choose from.