If you run a Server accessible over the Internet you will quickly find a lot of “interested” Eyes on it, especially if it is a VoIP System using SIP on default udp/5060. In an Ideal World this system would never be exposed to the Internet – but if you have a PBX which need to be accessible by a lot of remote workers and know how critical SIP/RTP can be you want to avoid forcing SIP over VPN.
We are using a 3CX Box setup using its own static IPv4 not used for anything else, so no NAT 1:1 firewalled IPv4. The 3cx system already have a good working and learning Block system working like fail2ban and blocking hosts with wrong credentials for X hours. The SIP Protocol use something called a INVITE to trigger a call, many spammers now trying to connect to your System – which is actually pretty simple because it is UDP so they just need to send the INVITE Package like Fire and Forget through the net and see if one response – and send a INVITE. This Package will try to trigger a remote call on your PBX, mostly to some “payed service” numbers they control. So, in case of success they could gain profit by your PBX keep opening calls to their payed hotline.
A Typical Spam INVITE looks like this:
INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP 185.53.XXX.XXX:51645;branch=z9hG4bK897834916 Max-Forwards: 70 From: ;tag=802408136 To: Call-ID: 1008218195-729624094-143XXXXXX CSeq: 1 INVITE Contact: Content-Type: application/sdp Content-Length: 211 Allow: ACK, BYE, INFO, INVITE, MESSAGE, OPTIONS, REFER, REGISTER, SUBSCRIBE, PUBLISH v=0 o=5587292 16264 18299 IN IP4 192.168.1.8 s=call c=IN IP4 192.168.1.8 t=0 0 m=audio 25282 RTP/AVP 0 101 a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-11
Far less popular but still dangerous is a OPTIONS call, which is like a HTTP HEAD trying to get Information about your system or could in worst case on open systems force one of your Handsets to redirect all it’s incoming call to again a payed service number or worse.
I found quickly that this is not a rare thing, in fact on bad days it was about 1k – 3k requests a day. Of course, those requests often came from the same Ips – once they found a potential “open system” they got more aggressive and tried and tried.
The SIP Honeypot Project
I decided to put together a little Honeypot script on some of my Webservers across Europe. They do not use SIP or 5060/udp at all, so it does not hurt. With use of some Python Libs this Honeypot was adjusted and built quickly. What it does is listening to requests on 5060 udp and waiting for Valid SIP Packages. Like INVITE, REGISTER, OPTIONS, ACK. If a SIP Package is received it send a valid SIP Response with Access denied and log the incoming package and IP Address. All in all, I have currently 4 Systems in 3 EU countries running this little honeypot. It is not listed somewhere so actually nobody should try speaking SIP to him. All those requests are logged to a central Database, if one “attacker” IP tried to INVITE more than three times it will be blacklisted for 30 Days.
This Blacklist I implemented in our Firewall, using pfSense and pfBlockerNG as a custom Blocklist, in addition to the honeypots I also include the ban Reports from our local real PBX System. Since I setup this system the false requests to our PBX went down to about a dozen a day.
In the first two Weeks logging the Attackers the List already grown to about 250 Entries. All those Entries will be automatically removed after 30d.
Feel free to use those Lists, but as Always on those things – without any Warranty given. All the IPs listed on it are only coming from my honeypot instances, there are no external sources or combined Alien source lists. If you like to use the list in any commercial Environment please check the Contributing part below, would be awesome if I can get some honeypot sources around the globe. Currently my Honeypots are central EU based at different Hosters.
The List is available as GZ File or plain TXT and can be used in any blocklist compatible Firewall.
If your Firewall / Blocktool support GZ compressed input please prefer this one.
Development of the List in the past 30 days, as mentioned – hosts are listed at the timestamp when they hit >3 attacks the honeypot does not accept connections from already blocked hosts. After 30d they automatically get removed from the List until they hit again.
Chart updated every 8h
I just would like to ask if it is possible to donate a small linux shell / VPS whatever, in your state so I can roll out more passive honeypots. Tech. requirement to those VPS is very minimum, just any recent Debian with 1 core and 128mb RAM is enough. If interested please email me. (see Imprint) Or contact me on any of the platforms linked in the footer.