[SR-Users] Detecting calls with missing ACK (Lazy SIP scanners)
Daniel Tryba
d.tryba at pocos.nl
Tue Apr 5 14:14:53 CEST 2016
On Tue, Apr 05, 2016 at 12:09:29AM +0100, Marrold wrote:
> I have been running a couple of Asterisk honey pots to get a better
> understanding of the tools and methods potential hackers are using to
> exploit SIP servers.
>
> I have observed many attacks from the 'sipcli' user agent that don't send
> ACKs.
[...]
> Please could anyone point me in the right direction to detect these non
> completed calls with a missing ACK in Kamailio? I am unsure on the
> terminology I should be using to search the online documentation.
Why do you care? The attacker doesn't care about receiving SIP messages,
they are only interested in initiating a call to a target, if the target
gets dialled you will be abused, by either an other source with a fully
function SIP stack or just something that might be spoofed.
What I do is blacklist addresses that send any SIP messages to my
honeypots, might be dangerous since with UDP anything can be spoofed (so
better make sure you have a whitelist and there is no connection between
the honeypots and your client facing SIP platform)
More information about the sr-users
mailing list