Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6965
Views
0
Helpful
6
Replies

sipvicious

gvatovci1
Level 1
Level 1

‎09-17-2013 01:12 AM - edited ‎03-16-2019 07:24 PM

Hi,

I have problems with SIP Hacking,  help me how can I fix this.

OPTIONS sip:100@IP ADD SIP/2.0

Via: SIP/2.0/UDP 127.0.0.1:5180;branch=z9hG4bK-3693168508;rport

Content-Length: 0

From: "sipvicious"<sip:100@1.1.1.1>;tag=64356133376637333133633401393935313333303332

Accept: application/sdp

User-Agent: friendly-scanner

To: "sipvicious"<sip:100@1.1.1.1>

Contact: sip:100@127.0.0.1:5180

CSeq: 1 OPTIONS

Call-ID: 456773518555149703728717

Max-Forwards: 70

Sincerely,

Gezim

Labels:
0 Helpful
6 Replies 6

paolo bevilacqua
Hall of Fame
Hall of Fame

‎09-17-2013 01:15 AM

Start mentioning phone system and version you are using.

0 Helpful

Daniele Giordano
Level 8
Level 8

‎09-17-2013 02:23 AM

"Sipvicious" and "Sunday ddr" attacks are common and frequently in Internet.

If your VoIP system must be directly exposed in Internet, I suggest you to configure a WHITE Access List to allow only friendly network, use strong password to protect all SIP accounts and change SIP standard ports.

I use also IPS and IDS like Tipping Point and Ingate. They have special filter rules to prevent Sipvicious attacks.

Regards.

0 Helpful

Gustavo Moreschi
Level 1
Level 1

‎01-11-2017 10:37 AM

Hi, I know it has been awhile, but I want to know if you have found a solution for that?

I'm facing this same issue right now...I'm using CUCM 9.1 with 4331 router all SIP to ITSP.

If anyone can point to the right direction, I appreciate!

0 Helpful

Daniele Giordano
Level 8
Level 8
In response to Gustavo Moreschi

‎01-14-2017 05:31 AM

Ca you enable the ip address trust list on your platform?

voice service voip                                    
    ip address trusted list
0 Helpful

Gustavo Moreschi
Level 1
Level 1
In response to Daniele Giordano

‎01-14-2017 05:48 AM

I have that settings already. This feature is more to prevent toll fraud, and sip vicious is a kind of attack snooping the network. 

I was wondering if using SIP Profile would prevent or block this option message with sip vicious. Thanks!

0 Helpful

Daniele Giordano
Level 8
Level 8
In response to Gustavo Moreschi

‎01-14-2017 06:29 AM

For my experience you cannot.

SIP OPTIONS are messages handled by the router itself. No dial-peers are matched.

You can build a sip-profile but this feature is not thinked as a match criteria and so you cannot reject or ignore a message.

The sip profile should be applied globally:

voice service voip
sip
sip-profiles 100

voice class sip-profiles 100
request OPTIONS sip-header User-Agent ... (only remove, modify or copy actions are allowed).

My suggestion is to apply an ACL to filter all unwanted SIP traffic.

If you cannot filter IP traffic (this is also my case) my suggestion is to put infront of the cisco an SBC able to filter these attacks.
In my carrier-class scenario I use ORACLE Acme-Packet SBC with a sipShield feauture.
Also IPS like Tipping Point or SonicWall are able to recognize and filter these attacks.
If you want you can also use a virtual machine with a free Kamailio or OpenSIPS proxy before the cisco just to filter them.

Regards.

0 Helpful
Customers Also Viewed These Support Documents