SIP - perhaps botnet? anyone else seeing this?

Dane dane at
Wed Apr 15 11:35:43 CDT 2009

The timing of your email as well as a couple of seemingly unrelated
things that I have heard about make me think this might be related to
some large toll fraud scheme.

Today I heard from someone who says Verizon is telling them they see
about 700 calls per hour to Cuba originating from their PRI.

Obviously some type of toll fraud.  Got me thinking about this persons
phone system and how there has always been the issue of toll fraud
where someone calls in and knows how to get an outbound call routed
through a poorly setup PBX.

However the rate of 700 calls per hour and one PRI just don't make
sense or add up in a situation like the old toll fraud method
mentioned earlier since I believe that's more of a manual attack.

That's when I recalled this post of yours.  Made me wonder if there
was some way to exploit SIP to associate with a VoIP PBX or gateway or
something that was tied to PRI's and thus route your calls over
someones phone system.

Sure enough found some discussions and posts regarding toll fraud to
Cuba (and others) in relation to SIP.

For instance, Cisco's CallManager Express device which is a router as
well as voip pbx is often tied to PSTN or PRI's and by default allows
H323 TCP/1720 and SIP UDP/5060 ports open by default.

It may seem obvious to others but new to me that these scans are
related to someone or some group looking to find devices with these
ports open in an effort to attach to them through SIP and hopefully
exploit if attached to PRI's or PSTN for toll fraud.

I really do learn something new everyday, some smart deviant people out there.

On Fri, Apr 10, 2009 at 3:45 AM, Leland E. Vandervort
<leland at> wrote:
> Hi All,
> Over the past couple of days we have been seeing an exponential increase
> (about 200-fold)
> in the amount of UDP SIP Control traffic in our netflow data.  The past 24
> hours, for example, has shown a total of nearly 300 GB of this traffic
> incoming and over 400 GB outgoing -- this despite the fact that we do not
> host any SIP services ourselves, and currently to my knowledge, we have no
> hosting customers running any kind of SIP services.  (Total RTP traffic
> for 24 hours is only in the region of 150 Kb -- so a vast inbalance
> between control and RTP)
> The local sources/destinations of the traffic are within our hosting
> space, but are spread across a wide range of hosts (i.e. nothing really
> related to a single or handful of hosts).
> Additionally over the past couple of days we have seen an increase of
> mails to our abuse desk for "brute force" attempts against a number of SIP
> services... possibly directly related to this traffic.
> Is anyone aware of a new variant or modus-operandi of botnets in
> circulation in the past couple of days which attempt to exploit SIP
> services?  Has anyone else notice a significant increase in this kind of
> traffic?
> Thanks
> Leland

More information about the NANOG mailing list