Dodging Sipvicious Script Kiddies

Written by Erick Johnson

How to dodge Sipvicious scripts.

VoIP Resources VoIP Fundamentals Developer Blog

Occasionally we find one of our SIP servers being probed/attacked by some joker running sipvicious. If you're on your machine and see a flood of packets that look like this:

REGISTER sip:5233@1.2.3.4 SIP/2.0
Via: SIP/2.0/UDP 50.57.182.157:5337;branch=z9hG4bK-290698590;rport
Content-Length: 0
From: "5233"<sip:5233@1.2.3.4>; tag=353233330132343732353834313430
Accept: application/sdp
User-Agent: <span class="highlight">friendly-scanner</span>
To: "5233"&lt;sip:5233@1.2.3.4&gt;
Contact: sip:5233@1.2.3.4
CSeq: 1 REGISTER
Call-ID: 1477783886
Max-Forwards: 70

then you're getting attacked too. There are some other flavors of sipvicious floating around out there as well that identify themselves in various ways, but "friendly-scanner" is the default.

The most recent releases of sipvicious, since about mid 2010, has included with it a tool called svcrash.py. The tool allows you to crash a remotely running sipvicious client by sending a specially crafted SIP response, that is assuming the remote client is unpatched and up to date. The mechanism it uses is EXTREMELY simplistic, so that it could be patched by anybody with any coding talent in a matter of minutes, but not so simplistic as to be found with grep. The author certainly acknowledges the weakness of svcrash as well, but he provides it as a courtesy to stop the script kiddies. Anyway, here's the special response packet that will crash one of these friendly scanners:

SIP/2.0 200 OK
Via: SIP/2.0/UDP 8.7.6.5:5061;branch=z9hG4bK-573841574;rport
Content-length: 0
From: "100"&lt;sip:100@localhost&gt;; tag=683a653a7901746865726501627965
User-agent: Telkom Box 2.4
To: "100"&lt;sip:100@localhost&gt;
Cseq: 1 REGISTER
Call-id: 469585712
Max-forwards: 70

Now it's not actually completely obvious what will cause the crash by looking at this packet, but here is a hint, this packet would crash it too:

SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.0.1:5060;received=1.2.3.4;rport=5060;branch=z9hG4bK214549178
From: &lt;sip:somedude@example.com&gt;;tag=796f7501676f74016974
To: &lt;sip:somedude@example.com&gt;;tag=75d09fb22ceadb40012c6e771a69dc74.0d5d
Call-ID: 1973675384
CSeq: 214 REGISTER
Contact: &lt;sip:somedude@1.2.3.4&gt;;expires=239;received="sip:1.2.3.4:5060"
Server: OpenSIPS
Content-Length: 0

Let's see if you can figure out what the trick is.