SIP Bruteforcing in the Wild - An Assessment of Adversaries, Techniques and Tools

Abstract

Over the last two decades, Voice-over-IP (VoIP) and specifically SIP have become standard solutions to realize voice telephony in residential, commercial, and telecom environments. As by now, an abundance of SIP endpoints exist, it has become financially lucrative for cybercriminals to systematically search for VoIP installations, with for example the aim to abuse them for billing fraud or to hide their criminal activities behind a legitimate connection and phone number. By now, this has made SIP one of the most scanned UDP protocols on the Internet. In this paper, we take a look at the actors behind these attacks. Using a large network telescope, we collect over 822 million SIP brute-forcing attempts from 5,691 sources over 187 countries and analyze who is searching for and attacking VoIP endpoints. As each tool and campaign exhibits specific implementation differences, we can relate individual attempts into campaigns and can thereby provide a detailed view into different actors in the ecosystem, different techniques and tooling, and how these are developing over 5 years. We show that we can fingerprint different SIP scanning tools, show that actors hardly ever change their toolkit, and identify an increase in highly distributed and coordinated scanning.

Harm Griffioen

Assistant Professor Cyber Security

My research interests include internet measurements, network security, and cyber threat intelligence.