Massive SIP Attacks with VPN?
September 7, 2022
The picture I like to keep an eye on the hourly data statistics of my honeypots just to see if anything interesting pops up. A couple of weeks back I saw something that I just had to take a screenshot of Screenshot of the automated traffic It screamed automation. I quickly tried to see if it was another round of traffic similar to the proxy relay traffic that happened some time back …… It wasn’t, so I didn’t make too much of it.
Open Relay Abuse
March 31, 2022
The story I really didn’t give much attention to the ‘Country analysis’ world heatmap tab on the SIP honeypot data web interface till I one day noticed that every hour there were over 100 unique IP addresses from the US attacking my honeypots. Checking the database I noticed a pattern in the format of the stored headers in the database. Next I checked the source IPs of the suspicious traffic in Shodan.
Hide From Shodan
October 14, 2021
If you are planning on exposing your private VoIP server to the public internet but are concerned about hacks and attacks, I might have one trick to help keep you hidden. When looking for a website to answer your questions, most people turn to Google. On the other hand, when looking for applications, IPs or network ports exposed on the internet, Shodan.io is usually the first stop. Shodan offers a service, dare I say, like Google, that scans the internet.
Understanding VoIP Hackers
September 1, 2021
Ever since I realized how easy it was to detect potential VoIP fraudsters using the SIP User Agent header , I got more and more interested in finding out how to detect them and more importantly figuring out their thought process. I believe that there is a lot you can learn from looking at the smart techniques fraudsters are using rather than just assuming what they are up to. How best to learn, apart from looking through your logs after you have been hacked, than to create a honeypot, gather data and learn from it.
Initial Invite or Re-Invite
March 5, 2021
When asked, “If I gave you a SIP INVITE packet, could you tell if it was an initial INVITE or a re-INVITE ?", surprisingly most people fail at giving the correct answer. Most assume that a “CSeq 1 INVITE” would be the indicator. However, nowhere in the SIP RFC (3261) does it state that the sequence number in the CSeq header for an initial INVITE must start at 1. A simple way to understand and remember the answer is … Well the purpose of an INVITE is to establish a dialog.
Kamailio Dispatcher Module Hidden Gem
March 4, 2021
Majority of Kamailio deployments involve using it as the core routing engine. Efficient call routing is one of its major tasks in such designs and this is where the dispatcher module really shines, making it one of the most popular modules. If you need to efficiently route or distribute huge amounts of traffic across multiple gateways, you need to have a look at the dispatcher module. Dispatching algorithms The module offers multiple routing algorithms to choose from.