Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

sipvicious

Hi,

I have problems with SIP Hacking,  help me how can I fix this.

OPTIONS sip:100@IP ADD SIP/2.0

Via: SIP/2.0/UDP 127.0.0.1:5180;branch=z9hG4bK-3693168508;rport

Content-Length: 0

From: "sipvicious"<sip:100@1.1.1.1>;tag=64356133376637333133633401393935313333303332

Accept: application/sdp

User-Agent: friendly-scanner

To: "sipvicious"<sip:100@1.1.1.1>

Contact: sip:100@127.0.0.1:5180

CSeq: 1 OPTIONS

Call-ID: 456773518555149703728717

Max-Forwards: 70

Sincerely,

Gezim

6 REPLIES
Hall of Fame Super Gold

sipvicious

Start mentioning phone system and version you are using.

sipvicious

"Sipvicious" and "Sunday ddr" attacks are common and frequently in Internet.

If your VoIP system must be directly exposed in Internet, I suggest you to configure a WHITE Access List to allow only friendly network, use strong password to protect all SIP accounts and change SIP standard ports.

I use also IPS and IDS like Tipping Point and Ingate. They have special filter rules to prevent Sipvicious attacks.

Regards.

Community Member

Hi, I know it has been awhile

Hi, I know it has been awhile, but I want to know if you have found a solution for that?

I'm facing this same issue right now...I'm using CUCM 9.1 with 4331 router all SIP to ITSP.

If anyone can point to the right direction, I appreciate!

Ca you enable the ip address

Ca you enable the ip address trust list on your platform?

voice service voip                                    
    ip address trusted list 
Community Member

I have that settings already.

I have that settings already. This feature is more to prevent toll fraud, and sip vicious is a kind of attack snooping the network. 

I was wondering if using SIP Profile would prevent or block this option message with sip vicious. Thanks!

For my experience you cannot.

For my experience you cannot.

SIP OPTIONS are messages handled by the router itself. No dial-peers are matched.

You can build a sip-profile but this feature is not thinked as a match criteria and so you cannot reject or ignore a message.

The sip profile should be applied globally:

voice service voip
sip
sip-profiles 100

voice class sip-profiles 100
request OPTIONS sip-header User-Agent ... (only remove, modify or copy actions are allowed).

My suggestion is to apply an ACL to filter all unwanted SIP traffic.

If you cannot filter IP traffic (this is also my case) my suggestion is to put infront of the cisco an SBC able to filter these attacks.
In my carrier-class scenario I use ORACLE Acme-Packet SBC with a sipShield feauture.
Also IPS like Tipping Point or SonicWall are able to recognize and filter these attacks.
If you want you can also use a virtual machine with a free Kamailio or OpenSIPS proxy before the cisco just to filter them.

Regards.

2336
Views
0
Helpful
6
Replies
CreatePlease to create content