General VoIP

Understanding and combating SIP-based VoIP abuse

Renaissance era hacker using a laptop

I was browsing around on Hacker News and if you’re not familiar, the good stuff is usually in the comments. I was intrigued by this comment (by @kkielhofner) and how he/she illustrates a common but often overlooked misconception about SIP. Specifically, the misunderstanding pertains to the role and implications of port 5060 and its associated traffic in a standard SIP deployment.

The role of Port 5060 in SIP cannot be overstated. It is used primarily for call control and typically sees very low traffic. The occasional bursts of traffic occur during call setup and tear-down processes, with periodic REGISTER messages sent at an interval measured in seconds. This low traffic, low bandwidth environment is a crucial element in understanding the problem we’re facing.

However, the problem lies not in the function of port 5060 itself, but in its vulnerability to VoIP abuse, primarily from scanning tools like sipvicious. In essence, these tools trawl the internet in search of exposed SIP ports, attempting to brute force their way into the systems through these open doors.

A good example of this is toll fraud. Here’s how it typically unfolds:

  1. An international toll free phone number is set up in any country, with a hypothetical rate of $5/minute. For the uninitiated, the cost of these calls gets charged to the caller by their phone company and shows up on their bill. A portion of this charge is then paid out (minus a fee) to the operator of the toll number.
    • Using the scanning tools, the perpetrators compromise a multitude of exposed SIP implementations across the internet.
    • The compromised systems are used to place calls to the aforementioned toll number.
    • The operator of the toll number gets paid from these toll charges.
    • Eventually, the owner of the compromised system receives an astronomical phone bill, the size of which depends on the efficiency of the carrier’s fraud detection systems and the rate at which the calls were made.

    This problem has escalated to the point where many VoIP providers have resorted to blocking international calls by default and, reportedly, may even be blocking 5060 traffic. This situation is not unlike the evolution of Simple Mail Transfer Protocol (SMTP) and the measures taken to combat spam.

    To prevent compromised systems from directly sending spam, many ISPs began blocking outbound TCP port 25, leading to the creation of port 465/587 for SMTP “submission”.

    Mitigating VoIP Abuse

    1. Firewalls and SIP-aware devices: The first and perhaps most obvious step would be to ensure that firewalls are correctly configured to protect SIP traffic. Using SIP-aware devices can also help in identifying and blocking potentially harmful traffic.

    2. Password Hygiene: Implementing strong, regularly changing passwords can help deter brute force attacks. Using complex combinations of characters, numbers and special symbols can significantly reduce the chances of a successful attack.

    3. Secure SIP: Just like HTTPS for web traffic, Secure SIP or SIPS provides a layer of encryption to SIP traffic, thereby providing enhanced security against unauthorized access and abuse.

    Note: With our virtual phone system we can enable SRTP/TLS encryption for a one-time fee. This will keep the SIP accounts created there secure. Contact us for details.

    4. Rate Limiting: Implementing rate limiting on SIP requests can reduce the potential for brute force attacks. By limiting the number of requests that can be made from an IP address within a specific timeframe, you can block scanners like sipvicious.

    5. Regular Auditing: Regular audits of call logs can help detect any unusual or potentially fraudulent activity. Automated alerts for abnormal call patterns can also prove beneficial in early detection and prevention of toll fraud.

    6. Disallow International Calls: Similar to many VoIP providers, you can consider blocking international calls by default. This, of course, will depend on the specific needs and requirements of your organization.

    At the end of the day, the world of SIP-based VoIP is a wild frontier that’s constantly changing. But don’t let that spook you. The key to wrangling this beast is understanding what you’re up against – knowing the ins and outs of port 5060, SIP, and the threats that come with ’em.

    Now, how do you keep your systems safe from these cyber cowboys? Start with a strong defense – that’s your firewalls, SIP-aware devices, and good password habits. Add a bit of encryption with Secure SIP, keep an eye on your call logs, and consider limiting the rate of SIP requests. If it suits your needs, you might even think about blocking international calls.

    Bottom line? The SIP-based VoIP landscape might seem like the wild west, but with the right know-how and some strategic moves, you’ve got a fighting chance to keep your systems safe and sound. Stay sharp, stay adaptive, and you’ll ride out ahead of these threats.

    By Nader Jaber

    Helping people communicate while trying to improve as a communicator myself.

    Leave a Reply