Since implementing new monitoring tools I’ve noticed a lot of failed REGISTER events on our network.  Our SBC would issue a 4XX back to the originating UA, however the attempts continue. At one point I saw 200 register messages per second from a single IP.

I started to look a bit deeper into the REGISTER packet and found that the User-Agent is always “friendly-scanner”.

REGISTER sip:x.x.x.x SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK-226458594;rport
Content-Length: 0
From: "100" 
Accept: application/sdp
User-Agent: friendly-scanner
To: "100"  
Contact: sip:123@1.1.1.1
CSeq: 1 REGISTER
Call-ID: 3348663663
Max-Forwards: 70

After a quick search I found that this is related to a script called SipVicious.

The author of SipVicious has included a tool called svcrash.py to shutdown the script on the attacking server.  This is the easiest route to shut down an attacker on a manual basis (You must assume that the attacker has not modified the python script, otherwise the below data is void).

Run svcrash.py on the server being attacked with the “-d” option set.

keith@lab1:~/Documents/sipvicious> ./svcrash.py -d 192.168.34.134
Attacking back 192.168.34.134:5060

Once the above is executed, the attacker should see the following on their server.

kcroxford@attacker:~/Desktop/sipvicious$ ./svcrack.py  -u10000 192.168.34.139
CRITICAL:root:Unhandled exception - please run same command with the -R option to send me an automated report
ERROR:root:Exception
Traceback (most recent call last):
File "./svcrack.py", line 460, in
sipvicious.start()
File "./svcrack.py", line 229, in start
self.getResponse()
File "./svcrack.py", line 175, in getResponse
crackeduser,crackedpasswd = _tmp
ValueError: need more than 1 value to unpack
WARNING:root:found nothing

If you have an Acme Packet SBC  you can request a copy of BCP 520-0052-00 from their Support Engineers. This is the Acme Packet Best Current Practices  on how to handle SIPVicious traffic. I believe that there is another way to handle this (which will exploit the weakness in svcrash.py) with a Header Manipulation Rule.  If I can confirm this as an option, I will update this blog entry.

If you are running an OpenSips proxy I found that Advantia Voip Systems has a write up on dropping traffic with  “friendly-scanner” within the User-Agent header.

All other SBCs :

This is the packet that svcrash.py generates :

SIP/2.0 200 OK
Via: SIP/2.0/UDP 8.7.6.5:5061;branch=z9hG4bK-573841574;rport

Content-length: 0
From: "100"; tag=676f6f643a6279653a61747461636b65723a
User-agent: Telkom Box 2.4
To: "100"
Cseq: 1 REGISTER
Call-id: 469585712
Max-forwards: 70

If your SBC can automatically generate a similar response to the attacker, you should be able to stop the attack.