SIP Register Message Brute Force Attack

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SIP Register Message Brute Force Attack

L0 Member

Can anyone suggest why this alerts keep triggering on regular basis. Internal connection - destination port is 5060. Observed multiple SYN/FIN connection.

 

SIP Register Request Attempt(33592)

SIP clients typically use TCP or UDP on port numbers 5060 or 5061 for SIP traffic to servers and other endpoints. Port 5060 is commonly used for non-encrypted signaling traffic whereas port 5061 is typically used for traffic encrypted with Transport Layer Security (TLS).A SYN-FIN flood is a DDoS attack designed to disrupt network activity by saturating bandwidth and resources on stateful devices in its path. By continuously sending SYN-FIN packets towards a target, stateful defenses can go down (In some cases into a fail open mode).On checking logs in DT,
# SF Normal establishment and termination.
# RSTR Established, responder aborted.
# SH Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).
# OTH No SYN seen, just midstream traffic (a "partial connection" that was not later closed).

3 REPLIES 3

Cyber Elite
Cyber Elite

That is good question.  In order for a session to be seen/evaluated by the FW, we would agree that there needs to be a 3 way handshake between Client and Server (responder).  So, the FW is seeing multiple of these requests coming in from the CLIENT.  We (the FW) are see these attempts.  Why are you clients sending these?  We do not know, and I believe you may not know.  Only the developer of the SIP application can determine how and why their application is sending out the packets.  I have so many crazy (non protocol following) applications. For example... when Chrome users go out to the Internet, why does Chrome perform a host sweeping technique (communicating to various servers on port 80/443) rather than connect to a single server?  This is due to the application and we (the FW/security guys) have the visibility to see unusual patterns of traffic, due to developer's application.  So.. I guess you will need to read/research/contact the SIP application company to see why they do the things they do.  (sorry, wish I could be more helpful)

Help the community: Like helpful comments and mark solutions

To add to my statement.  If you want, just modify that ID from alert to ALLOW, and commit.  now, you will not see those alerts (but you also have not determined why.... )

Help the community: Like helpful comments and mark solutions

Cyber Elite
Cyber Elite

@MUNNA2117,

Just a suggestion, but do you have a Message Waiting Indicator (MWI) light on your phones? This sounds a lot like MWI registration which in general is pretty poorly implemented across most vendors. Easy enough to work around, but I would guess that this is due to that MWI registration process. 

  • 6764 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!