Month: August 2017

What does SIP scanning look like?

Following on from my post two weeks ago about enhancing SIP Security I’ve been running a tool that’s allowing me to profile the SIP brute force attacks we see, which are an unavoidable cost of our being able to have VoIP phones at home.

Every time anything tries to talk to our Asterisk server over the internet (be that legitimate traffic from our ATA’s at home, or scanning by “bad guys” trying to gain illegitimate access to our Asterisk) it creates a line in a log file.

I’ve been through the results and have classified each connection attempt as legitimate, or unexpected. The graph is quite interesting:

About two thirds of the traffic we see is legitimate. The next largest chunk is ‘friendly-scanner’ which is a known SIP account brute force kit, based on sipvicious. The rest are mostly scans that are masquerading as legitimate devices.

I’ve tweaked our blocking to cover most of the illegitimate traffic, but it’s possible that I’ve widened the net a little too widely, so if your phone at home has stopped working, let me know!

Currently offline – 2017-08-12 – resolved

It looks as though the asterisk is currently offline, as of 2017-08-12 14:25:01 (BST)

I’m not sure yet the cause of this problem. It could be anything from a power failure, to the dynamic dns failing to update, the router being offline, or the router having been reset losing the port forwarding configuration.

More information when I’ve got it.

Update 2017-08-12 22:11 – I don’t think it’s the Dynamic DNS this time. The asterisk regularly phones home to my monitoring server (a process that isn’t reliant on the Dynamic DNS) and it hasn’t reported in since 14:25.

Update 2017-08-13 12:00 Sam very helpfully went in, and found everything switched off. He powered up the UPS and we’re back in business… for now!