SIP Honeynet

Intuitive Labs SIP honeynet collects SIP scans in multiple geographic regions. This is one of our ways to detect and learn SIP attacks patterns and their originators. The VoIP DoS and fraud threats are serious and telecom damages are reported by Europol and CFCA to reach tens of billions US dollars annually. While a worldwide number may sound abstract, a telecom bill for an attacked PBX may be very real. We believe that the first responsibility of any company with focus on network security is to understand the threats and provide a fact-based view to the professional community. Here is our contribution: our honeynet's map of SIP attack origins and a blacklist of the attack source IP addresses.

Our honeynet is worldwide


The list of malicious IP addresses we have captured in our honeynet is available for download using the ApiBAN HTTP/JSON-based protocol. To download the current list simply follow our BLACKLIST LINK. For automated updates on linux OS, use our APIBAN TOOL.

RPM packages repository:

  • yum -y install yum-utils

  • yum-config-manager --add-repo

  • yum install apiban-ipsets

Attack Anatomy: Speed

Here is the first of several observations we have made using our honeynet. First of all: scans, i.e. attempts to make phone calls without a password or with a weak passwords, occur at a stunning rate of 100-150 attempts per second. It is also typical that such a scan begins off-hours after midnight. It rarely takes more than a minute for scans to appear after you turn on a SIP server.

Speed for Guessing

The same scan we captured shows what kind of telephone numbers the attacker is trying to reach. The attacker is trying to reach a Swedish telephone number (+46) using various prefixes common in PBXes: `+`, `900`, `9011`, `000`, etc. The number of attacks for each prefix, about 90 thousands, suggests the attacker was looking for weak passwords. If he found a workable prefix and password, calls would have begun immediately.

Attack Automation

So many iterations are of course done using automated tools. They are publicly available. Most popular ones are penetration tools `sipcli` and `friendly-scanner` and by default they include their signatures in the SIP messages they produce. In our attack the perpetrator might have used one of those but in attempt to conceal his intentions, he presented the messages as coming from a `Cisco-SIPGateway`.


While most of the attacks rely on brute-force, some try to exploit software vulnerabilities in popular software such as Asterisk. An often observed technique is "SQL injection": smuggling database query elements through signaling in the system in order to compromise database integrity and generate/remove CDRs, manipulate access control lists or otherwise gain control over the system.