09-17-2013 01:12 AM - edited 03-16-2019 07:24 PM
Hi,
I have problems with SIP Hacking, help me how can I fix this.
OPTIONS sip:100@IP ADD SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5180;branch=z9hG4bK-3693168508;rport
Content-Length: 0
From: "sipvicious"<sip:100@1.1.1.1>;tag=64356133376637333133633401393935313333303332
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"<sip:100@1.1.1.1>
Contact: sip:100@127.0.0.1:5180
CSeq: 1 OPTIONS
Call-ID: 456773518555149703728717
Max-Forwards: 70
Sincerely,
Gezim
09-17-2013 01:15 AM
Start mentioning phone system and version you are using.
09-17-2013 02:23 AM
"Sipvicious" and "Sunday ddr" attacks are common and frequently in Internet.
If your VoIP system must be directly exposed in Internet, I suggest you to configure a WHITE Access List to allow only friendly network, use strong password to protect all SIP accounts and change SIP standard ports.
I use also IPS and IDS like Tipping Point and Ingate. They have special filter rules to prevent Sipvicious attacks.
Regards.
01-11-2017 10:37 AM
Hi, I know it has been awhile, but I want to know if you have found a solution for that?
I'm facing this same issue right now...I'm using CUCM 9.1 with 4331 router all SIP to ITSP.
If anyone can point to the right direction, I appreciate!
01-14-2017 05:31 AM
Ca you enable the ip address trust list on your platform?
voice service voip ip address trusted list
01-14-2017 05:48 AM
I have that settings already. This feature is more to prevent toll fraud, and sip vicious is a kind of attack snooping the network.
I was wondering if using SIP Profile would prevent or block this option message with sip vicious. Thanks!
01-14-2017 06:29 AM
For my experience you cannot.
SIP OPTIONS are messages handled by the router itself. No dial-peers are matched.
You can build a sip-profile but this feature is not thinked as a match criteria and so you cannot reject or ignore a message.
The sip profile should be applied globally:
voice service voip
sip
sip-profiles 100
voice class sip-profiles 100
request OPTIONS sip-header User-Agent ... (only remove, modify or copy actions are allowed).
My suggestion is to apply an ACL to filter all unwanted SIP traffic.
If you cannot filter IP traffic (this is also my case) my suggestion is to put infront of the cisco an SBC able to filter these attacks.
In my carrier-class scenario I use ORACLE Acme-Packet SBC with a sipShield feauture.
Also IPS like Tipping Point or SonicWall are able to recognize and filter these attacks.
If you want you can also use a virtual machine with a free Kamailio or OpenSIPS proxy before the cisco just to filter them.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide