[VOIPSEC] Attacks in the wild: brute force password hacking

John Todd jtodd at loligo.com
Wed May 24 02:06:52 EDT 2006 

I've witnessed within the last few days a brute force attack on SIP 
REGISTER requests in some type of automated fashion.  I'm wondering 
if others have seen similar issues on their networks who would be 
interested in sharing any experiences publicly or privately.

A brute-force password attack was launched against a SIP-based PBX in 
what appeared to be an attempt to guess passwords.  Queries were 
coming in about 10 per second.  Extension/identities were 
incrementing during each attempt, and it appeared that a full range 
of extensions were cycled over and over with the new password.  The 
User-Agent: string was almost certainly falsified (it reports 
"Polycom".)  I can provide more details to anyone who is interested 
in the specifics.

I don't know when this problem was discovered in relation to the time 
that it started.  The extension ranges that were being attacked were 
valid extensions, unknown to anyone other than the administrator of 
the system, which was primarily a testbed (leading to an assumption 
of random scanning for UDP 5060 responses on public IP addresses as 
the vector for the attacker.)  Some brief testing against Asterisk 
shows that there are different replies when a valid extension versus 
an invalid extension is supplied in a REGISTER attempt (no surprise 
there, since an unknown user will result in an immediate "404" error 
upon REGISTER attempt, while a known user but bad nonce during 
REGISTER will result in a "401" error.)  Therefore, it may be the 
case that the attacker scanned a large number of sequential or random 
extensions until a valid range was discovered, then the range was 
narrowed and password brute-force attacks started once valid SIP 
identities were established.  This is a guess, but it fits the 
evidence at hand.

While Asterisk was the platform under attack, this is not an 
Asterisk-specific attack method.  The brute-force method used is 
applicable to any SIP registrar/proxy that accepts and processes such 
requests.  The method by which the attacker may have obtained valid 
SIP peers (presentities) on Asterisk has been identified, and 
Asterisk has since been patched (SVN-TRUNK and 1.2 TRUNK) to include 
a method that allows administrators to obscure SIP response codes on 
INVITE, SUBSCRIBE, and REGISTER from 404 to 401 in the case of 
non-existant hosts ("alwaysauthreject" option in sip.conf.)  Thanks 
to Kevin Fleming for quick turnaround on this.  While Asterisk does 
not seem from current evidence to be vulnerable to any particular 
password attack method, it is the case that previous versions to 
today are farm-able for valid extensions on which attacks may be 
attempted.

The attack does not seem to be a "bot" attack, as only one IP address 
was originating requests, but of course that can quickly change based 
on the intent of the attacker and their resource availability. 
Blocking the attack is simply performed with an IP address filter on 
the router or filter table on the host.  However, this is obviously 
insufficient for larger scale problems where multiple attacking hosts 
or targets are involved.  A more complete solution has been discussed 
which would involve a dampening system that would slow replies (or 
ignore requests) for any authentication methods for individual 
presentities based on frequency of requests for that presentity or 
frequency of requests from that originating host.  Are there comments 
on the usefulness or validity of such a dampening system?  Has anyone 
deployed such a system already, and could you speak to the results of 
such a method?

JT



Example packets (not a full transaction, IP addresses obscured) look like this:

Origin (SIP UA): 10.1.1.1
Destination (SIP registrar): 172.16.16.16

REGISTER sip:171.16.16.16;transport=udp SIP/2.0
Via: SIP/2.0/UDP 10.1.1.1:1025;branch=z9hG4bKa53940dcDB34E039
From: "2665" <sip:2665 at 171.16.16.16>;tag=52F481E6-70A248F5
To: <sip:2665 at 171.16.16.16>
CSeq: 1 REGISTER
Call-ID: 9c0014fa-b7ec2828-facb896f at 10.0.100.14
Contact: <sip:2665 at 10.1.1.1:1025;transport=udp>;methods="INVITE, ACK, 
BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, 
UPDATE, REFER"
User-Agent: PolycomSoundPointIP-SPIP_600-UA/1.3.0
Max-Forwards: 70
Expires: 3600
Content-Length: 0

More information about the Voipsec mailing list