https://live.paloaltonetworks.com/t5/general-topics/sip-register-message-brute-force-attack/m-p/428864#M94801 <P>That is good question.&nbsp; In order for a session to be seen/evaluated by the FW, we would agree that there needs to be a 3 way handshake between Client and Server (responder).&nbsp; So, the FW is seeing multiple of these requests coming in from the CLIENT.&nbsp; We (the FW) are see these attempts.&nbsp; Why are you clients sending these?&nbsp; We do not know, and I believe you may not know.&nbsp; Only the developer of the SIP application can determine how and why their application is sending out the packets.&nbsp; I have so many crazy (non protocol following) applications. For example... when Chrome users go out to the Internet, why does Chrome perform a host sweeping technique (communicating to various servers on port 80/443) rather than connect to a single server?&nbsp; This is due to the application and we (the FW/security guys) have the visibility to see unusual patterns of traffic, due to developer's application.&nbsp; So.. I guess you will need to read/research/contact the SIP application company to see why they do the things they do.&nbsp; (sorry, wish I could be more helpful)</P> Tue, 24 Aug 2021 16:46:38 GMT S.Cantwell 2021-08-24T16:46:38Z https://live.paloaltonetworks.com/t5/general-topics/sip-register-message-brute-force-attack/m-p/427217#M94586 <P>Can anyone suggest why this alerts keep triggering on regular basis. Internal connection - destination port is 5060. Observed multiple SYN/FIN connection.</P><P>&nbsp;</P><P><STRONG>SIP Register Request Attempt(33592</STRONG><SPAN>)</SPAN><BR /><BR /><SPAN>SIP clients typically use TCP or UDP on port numbers 5060 or 5061 for SIP traffic to servers and other endpoints. Port 5060 is commonly used for non-encrypted signaling traffic whereas port 5061 is typically used for traffic encrypted with Transport Layer Security (TLS).</SPAN><SPAN>A SYN-FIN flood is a DDoS attack designed to disrupt network activity by saturating bandwidth and resources on stateful devices in its path. By continuously sending SYN-FIN packets towards a target, stateful defenses can go down (In some cases into a fail open mode).</SPAN><SPAN>On checking logs in DT,</SPAN><BR /><SPAN># SF Normal establishment and termination.</SPAN><BR /><SPAN># RSTR Established, responder aborted.</SPAN><BR /><SPAN># SH Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).</SPAN><BR /><SPAN># OTH No SYN seen, just midstream traffic (a "partial connection" that was not later closed).</SPAN></P> Tue, 17 Aug 2021 03:02:04 GMT https://live.paloaltonetworks.com/t5/general-topics/sip-register-message-brute-force-attack/m-p/427217#M94586 MUNNA2117 2021-08-17T03:02:04Z https://live.paloaltonetworks.com/t5/general-topics/sip-register-message-brute-force-attack/m-p/428864#M94801 <P>That is good question.&nbsp; In order for a session to be seen/evaluated by the FW, we would agree that there needs to be a 3 way handshake between Client and Server (responder).&nbsp; So, the FW is seeing multiple of these requests coming in from the CLIENT.&nbsp; We (the FW) are see these attempts.&nbsp; Why are you clients sending these?&nbsp; We do not know, and I believe you may not know.&nbsp; Only the developer of the SIP application can determine how and why their application is sending out the packets.&nbsp; I have so many crazy (non protocol following) applications. For example... when Chrome users go out to the Internet, why does Chrome perform a host sweeping technique (communicating to various servers on port 80/443) rather than connect to a single server?&nbsp; This is due to the application and we (the FW/security guys) have the visibility to see unusual patterns of traffic, due to developer's application.&nbsp; So.. I guess you will need to read/research/contact the SIP application company to see why they do the things they do.&nbsp; (sorry, wish I could be more helpful)</P> Tue, 24 Aug 2021 16:46:38 GMT https://live.paloaltonetworks.com/t5/general-topics/sip-register-message-brute-force-attack/m-p/428864#M94801 S.Cantwell 2021-08-24T16:46:38Z https://live.paloaltonetworks.com/t5/general-topics/sip-register-message-brute-force-attack/m-p/428866#M94803 <P>To add to my statement.&nbsp; If you want, just modify that ID from alert to ALLOW, and commit.&nbsp; now, you will not see those alerts (but you also have not determined why.... )</P> Tue, 24 Aug 2021 16:47:44 GMT https://live.paloaltonetworks.com/t5/general-topics/sip-register-message-brute-force-attack/m-p/428866#M94803 S.Cantwell 2021-08-24T16:47:44Z https://live.paloaltonetworks.com/t5/general-topics/sip-register-message-brute-force-attack/m-p/428938#M94812 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190846">@MUNNA2117</a>,</P><P>Just a suggestion, but do you have a Message Waiting Indicator (MWI) light on your phones? This sounds a lot like MWI registration which in general is pretty poorly implemented across most vendors. Easy enough to work around, but I would guess that this is due to that MWI registration process.&nbsp;</P> Tue, 24 Aug 2021 21:10:43 GMT https://live.paloaltonetworks.com/t5/general-topics/sip-register-message-brute-force-attack/m-p/428938#M94812 BPry 2021-08-24T21:10:43Z