[VOIPSEC] why are attackers so inefficient?

Bugra Cakir bugra.cakir at argela.com.tr
Thu Mar 24 01:49:28 CDT 2011 

I think he is just a script kiddie ! Sometimes with this tools
clever attacks could be established. Especially i saw
harmonic attacks and malformed message attacks with
those tools. 



On Mar 23, 2011, at 6:23 PM, Klaus Darilion wrote:

> I recently had this scan on my proxy:
> 
> #
> U 2011/03/23 17:00:07.964580 60.191.221.70:5143 -> xx.yy.xx.yy:5060
> REGISTER sip:xx.yy.xx.yy SIP/2.0
> Via: SIP/2.0/UDP 127.0.0.1:5143;branch=z9hG4bK-1441214577;rport
> Content-Length: 0
> From: "5988" <sip:5988 at xx.yy.xx.yy>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "5988" <sip:5988 at xx.yy.xx.yy>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 4215708921
> Max-Forwards: 70
> 
> 
> #
> U 2011/03/23 17:00:07.964580 60.191.221.70:5143 -> xx.yy.xx.yy:5060
> REGISTER sip:xx.yy.xx.yy SIP/2.0
> Via: SIP/2.0/UDP 127.0.0.1:5143;branch=z9hG4bK-113964806;rport
> Content-Length: 0
> From: "5988" <sip:5988 at xx.yy.xx.yy>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "5988" <sip:5988 at xx.yy.xx.yy>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 3461115189
> Max-Forwards: 70
> 
> 
> #
> U 2011/03/23 17:00:07.972580 60.191.221.70:5143 -> xx.yy.xx.yy:5060
> REGISTER sip:xx.yy.xx.yy SIP/2.0
> Via: SIP/2.0/UDP 127.0.0.1:5143;branch=z9hG4bK-1816496172;rport
> Content-Length: 0
> From: "5988" <sip:5988 at xx.yy.xx.yy>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "5988" <sip:5988 at xx.yy.xx.yy>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 1573919667
> Max-Forwards: 70
> 
> 
> There where 200 requests per second, always the Fom/To, just the Callid
> differs. My proxy did not even respond to the requests. What's the use
> case of sending 200r/s with identical identity? Is this a bug in
> sipvicious or is the attacker just to stupid to use it correctly?
> 
> regards
> Klaus
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list