[SR-Users] Detecting calls with missing ACK (Lazy SIP scanners)
Marrold
kamailio at marrold.co.uk
Tue Apr 5 01:09:29 CEST 2016
Hi,
I have been running a couple of Asterisk honey pots to get a better
understanding of the tools and methods potential hackers are using to
exploit SIP servers.
I have observed many attacks from the 'sipcli' user agent that don't send
ACKs.
At this stage I'm not sure what they're trying to achieve, whether it's a
successful call to one of their test numbers, or maybe they will brute
force anything that returns a 401 later, or maybe they're waiting for a 18X
response.
Below are three typical scenarios-
------ INVITE ------ >
<--- 100 Trying ---
<----- 200 OK -----
<----- 200 OK -----
<----- 200 OK -----
( No ACK)
------ INVITE ------ >
<-------- 503 --------
<-------- 503 --------
<-------- 503 --------
( No ACK)
------ INVITE ------ >
<-------- 401 --------
<-------- 401 --------
<-------- 401 --------
( No ACK)
Please could anyone point me in the right direction to detect these non
completed calls with a missing ACK in Kamailio? I am unsure on the
terminology I should be using to search the online documentation.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20160405/e43e9515/attachment.html>
More information about the sr-users
mailing list