What does SIP scanning look like?

Following on from my post two weeks ago about enhancing SIP Security I’ve been running a tool that’s allowing me to profile the SIP brute force attacks we see, which are an unavoidable cost of our being able to have VoIP phones at home.

Every time anything tries to talk to our Asterisk server over the internet (be that legitimate traffic from our ATA’s at home, or scanning by “bad guys” trying to gain illegitimate access to our Asterisk) it creates a line in a log file.

I’ve been through the results and have classified each connection attempt as legitimate, or unexpected. The graph is quite interesting:

About two thirds of the traffic we see is legitimate. The next largest chunk is ‘friendly-scanner’ which is a known SIP account brute force kit, based on sipvicious. The rest are mostly scans that are masquerading as legitimate devices.

I’ve tweaked our blocking to cover most of the illegitimate traffic, but it’s possible that I’ve widened the net a little too widely, so if your phone at home has stopped working, let me know!