[Serusers] Strange Via parsing error....

sip sip at arcdiv.com
Mon Feb 26 15:23:40 CET 2007 

Unfortunately, it's not my UA, so I've no idea. I just happened to notice this
in the logs, and started sniffing the packets and noticed this weird issue
with the garbled data. 

It caught my attention as we've been getting hit CONSTANTLY with fraud
attempts through our service from various hacked IPs (proxied through). Most
of them originate in Egypt, Jordan, Morocco, and Palestine, but lately, we've
seen the IPs from all over (Germany, Sweden, Korea, etc). Some of these have
been proxied and attempted 'manually-created' headers to try and fool our
system.  This caught my eye and I was wondering if there might be a legitimate
reason for it before I disabled the account out of sheer paranoia. :) 


N. 


On Mon, 26 Feb 2007 11:29:49 +0100, Atle Samuelsen wrote
> hi
> 
> I might be wrong.. but do you have a zyxel router ? I've seen 
> simular on some zyxel stuff
> 
> -Atle
> 
> * Greger V. Teigre <greger at teigre.com> [070226 11:25]:
> > Bad ALG?
> > g-)
> > 
> > sip wrote:
> > >I'm getting an odd Via parsing error from SER 0.9.6: 
> > >Feb 23 16:52:49 death ser[17389]: error: parse_via_param Feb 23 16:52:49
death ser[17389]: ERROR: parse_via on: <sip/2.0/udp
> > >172.30.237.149:56755;branch=z9hg4bk-d87543-d75bc86d826ac929-1--d87543->
Feb 23 16:52:49 death ser[17389]: ERROR: parse_via 
> > >parse error, parsed so
> > >far:<sip/2.0/udp
> > >172.30.237.149:56755;branch=z9hg4bk-d87543-d75bc86d826ac929-1--d87543->
Feb 23 16:52:49 death ser[17389]: ERROR: 
> > >get_hdr_field: bad via Feb 23 16:52:49 death ser[17389]: ERROR:
parse_msg: message=<REGISTEl
> > >sip:proxy.ideasip.com SIP/2.0> Feb 23 16:52:49 death ser[17389]: ERROR:
receive_msg: parse_msg failed 
> > >
> > >When I look at the packet, it looks like the actual SIP data is somehow
> > >getting garbled... with odd characters showing up in the middle of
headers, etc. 
> > >Any idea what might cause this? 
> > >
> > >U 148.233.151.30:43764 -> XX.XX.XX.XX:5060
> > >REGISTEl sip:proxy.ideasip.com SIP/2.0.
> > >Via: sip/2.0/udp
> > >172.30.237.149:16240;branch=z9hg4bk-d87543-9332b73b5700e95c-1--d87543-.
> > >Max-Forward2a:70.
> > >Contactm:<sip:user at 148.233.151.30:32332;rinstance=6c0c8351d99e79db>.
> > >To: "mario"<sip:user at proxy.ideasip.com>.
> > >From: "mario"<sip:user at proxy.ideasip.com>;tag=fe132761.
> > >Call-ID: n2m5owi1odc4mzkznmm5mjflmzvmzmu3zgjmngqym2y..
> > >CSe1h:1 register.
> > >Expire1k:3600.
> > >Allo0b:invite, ack, cancel, options, bye, refer, notify, message,
subscribe, info.
> > >User-Agen5m:x-lite release 1006e stamp 34025.
> > >Content-Lengthl:0.
> > >
> > >
> > >As you can see... things like REGISTEl,  Max Forward2a:   Expire1k: 
> > >All these things look garbled.  Would this be a transmission error of some
> > >kind (the garbled headers are identical for each submitted packet, though, so
> > >it seems unlikely) ? 
> > >
> > >N. _______________________________________________
> > >Serusers mailing list
> > >Serusers at lists.iptel.org
> > >http://lists.iptel.org/mailman/listinfo/serusers
> > >
> > >
> > >  
> > _______________________________________________
> > Serusers mailing list
> > Serusers at lists.iptel.org
> > http://lists.iptel.org/mailman/listinfo/serusers

More information about the sr-users mailing list