SIP - perhaps botnet? anyone else seeing this?

Leland E. Vandervort leland at
Fri Apr 10 04:32:09 CDT 2009

Legally speaking, we can't "grab packets" in this sense without a specific
validated complaint, court orders, and that kind of thing...  So all we
can do in the the absence of a specific complaint is in the context of our
day to day traffic analysis from the netflow data to identify anomalies..
hence this one...  (We have already taken action on a handful of known and
identified cases of SIP brute-force attacks in recent days).

Having said that, we have seen a vast increase
in the amount of abuse complaints about SIP authentication brute force
attacks in the past couple of days, which would tally with the traffic in
general as being actual SIP-Control.  The absence of associated RTP,
however, leads me to believe that it's either scanning, exploits, or
botnets, rather than legitimate SIP traffic.

Based on what I've seen in the past couple of days, I am sure that it's as
you mentioned, a SIP DDoS or brute-force attacks on SIP services...
(circumstantial evidence that it's actually SIP related rather than
something else on the same ports -- given the number of abuse complaints)

I was simply wondering if this was an overall trend globally, or if it's
simply a handful of bozos making life "fun" for the rest of us ;)



On Fri, 10 Apr 2009, Roland Dobbins wrote:

> On Apr 10, 2009, at 4:45 PM, Leland E. Vandervort wrote:
> > UDP SIP Control traffic in our netflow data.
> Have you grabbed some packets in order to ensure it's actually SIP,
> vs. something else on the same ports?
> If it really is SIP-related, this could be caused by botted hosts
> launching a SIP DDoS, or brute-forcing said SIP services in order to
> steal service for resale, DoS someone else via the service at layer-7
> (i.e., call avallanche), sent VoIP spam, et. al.  You may have botted
> hosts in your hosting space, as well as hosts being scanned as
> potential targets for exploitation.
> A quick search-engine query should reveal that this sort of thing has
> been going on for quite some time; I believe there were some
> convictions in NJ or somewhere else in the northeastern US within the
> last year or so.
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at> // +852.9133.2844 mobile
>    Our dreams are still big; it's just the future that got small.
> 		   -- Jason Scott

More information about the NANOG mailing list