SIPSCAN - SIP Scans

Method description

This detection method detects devices that are scanning the SIP stations in the monitored network segment. The typical purpose of this attack is to find available VoIP services that can be used for malicious outbound phone calls. It is possible to activate the detection of some scanning types using the RegisterScan, OptionsScan, or InviteScan parameters. It is possible to set the minimum number of accesses with relevant SIP flags (Register, Options, Invite), using the Threshold parameter.

This method consists of the following submethods:

• Register: Reports scanning of the devices used for VoIP. The detection uses the Register messages of the SIP protocol.

• Options: Reports scanning of the devices used for VoIP. The detection uses the Options messages of the SIP protocol.

• Invite: Reports scanning of the devices used for VoIP. The detection uses the Invite messages of the SIP protocol.

Method configuration

It is recommended to apply this method for all IP addresses of SIP devices in the monitored network segment. The right place for traffic monitoring is the Internet connection line. This detection method must be activated in combination with the Data feed which has the SIP processing activated.

Method parameters

• RegisterScan: Detection of SIP device scans that are using the Register flag.

• OptionsScan: Detection of SIP device scans that are using the Options flag.

• InviteScan: Detection of SIP device scans that are using the Invite flag.

• Threshold: Threshold of the minimal number of accesses.

Assigned filter

The filter is used for the restriction of destination IP addresses.

Interpretation of results

The scanning attacker is trying to detect SIP PBXs and gateways (horizontal, especially Register and Options scans; the information can be misused, for example, for eavesdropping) or active SIP addresses (vertical, especially Invite scans; the information can be misused for telephone SPAM).