HIGH: Accessible SIP Report

DESCRIPTION LAST UPDATED: 2023-12-27

DEFAULT SEVERITY LEVEL: HIGH

Introduction

This report identifies accessible SIP services on port 5060/udp. As described on Wikipedia, the Session Initiation Protocol) is a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. SIP is used in Internet telephony, in private IP telephone systems, as well as mobile phone calling over LTE (VoLTE).

SIP is known to be a potential UDP message amplifier that has been abused for reflected DDoS attacks.

As of 2023-03-26 we find 9087 servers on IPv4, with an average amplification factor of 28.4 and median amplification factor of 12.1.

How we scan 

The probe sends the string OPTIONS and listens for the response payload.

You can mimic our scan with nmap --script=sip-methods -sU -p 5060 <targets>, but it should be noted that we are only testing the OPTIONS method.

You can read more on SIP DDoS amplification research by Phenomite here.

We do not perform any intrusive checks on a discovered service.

Dashboard

You can track latest SIP scan results on the Shadowserver Dashboard.

You can also track SIP DDoS amplification abuse on our Dashboard, as seen by honeypot sensors.

Mitigation

Consider restricting access to port 5060/udp to trusted IPs.

In our scans we only check for service availability and potential amplification factor. However, SIP configuration has also many additional security considerations which you should take into account. These include brute-forcing credentials and getting access to SIP extensions and subsequent call fraud. You can read more on analysis of various SIP attack seen in the wild in CERT.BR’s paper here. For a broader set of recommendations on VoIP security practices, check out for example this article with 32 Proven VOIP Security Best Practices. Consult your vendor for security device configuration options.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

This report has an IPv4 version only.

Filename: scan_sip

 

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that response came on (always UDP)
  • port
    Port that the response came from (typically port 5090)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to "sip"
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • sip
    The SIP header. Usually "SIP/2.0"
  • sip_code
    The status code, just like HTTP headers, 200, 401, 403 etc
  • sip_reason
    The long form of the numeric sip_code
  • user_agent
    The User-Agent server/client string identifying the type of device
  • sip_via
    The "Via" header that identifies what the call path is. This header assists in routing a call to the proper location
  • sip_to
    The "To" header specifies the recipient of a call
  • sip_from
    The "From" header specifies who the call would be coming from
  • content_length
    The "Content-Length" header specifies the size of the message content in bytes
  • content_type
    The "Content-Type" header identifies how the body is formatted. This is often "text/html" or "application/sdp"
  • server
    The "Server" header contains information about the software used by the user agent server to handle the request
  • contact
    The "Contact" header identifies the most direct route for sending future requests to the requesting device
  • cseq
    The "CSeq" header returns the number of requests of each type that the device has sent
  • call_id
    The "Call-ID" header is a globally unique identifier for the call
  • allow
    The "Allow" header lists the set of methods supported by the device generating the message
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
  • response_size
    Raw response size in bytes without the UDP headers
  • hostname_source
    Hostname source
  • naics
    North American Industry Classification System Code
  • sector
    Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","sip","sip_code","sip_reason","user_agent","sip_via","sip_to","sip_from","content_length","content_type","server","contact","cseq","call_id","allow","amplification","response_size","hostname_source","naics","sector"
"2010-02-10 00:00:00",high,192.168.0.1,udp,5060,node01.example.com,sip,64512,ZZ,Region,City,SIP/2.0,400,"Bad Request",,,,,,,,,,,,3.57,25,,0,
"2010-02-10 00:00:01",high,192.168.0.2,udp,5060,node02.example.com,sip,64512,ZZ,Region,City,SIP/2.0,400,BadRequest,,,,,0,,,,,,,12.14,85,ptr,0,"Communications, Service Provider, and Hosting Service"
"2010-02-10 00:00:02",high,192.168.0.3,udp,5060,node03.example.com,sip,64512,ZZ,Region,City,SIP/2.0,400,"Bad Request",,,,,0,,,,,,,6.57,46,,0,




Our 132 Report Types