We responded today to an attack on a nationwide Service Provider. They reported up to 69 REGISTERs per second originating from an IP address in Anhui province, China. 69 REGISTERs per second is roughly the equivalent load of 5,000 users.
Unfortunately for the victims, the "friendly scanner", SIPVicious runs very hot and fast, apparently blasting out lots of requests without even waiting for earlier attempts to fail. The SIPVicious tool is focused on cracking SIP PBXs, and will be only so slightly less effective on Carrier VoIP systems.
The main reports of problems due to SIP Registration scanning are server overloads. But if the registration scanner users are smart, they'll slow down their rates so they don't alarm the parties being probed.
How do you defend against SIP Registration storms?
- For registering endpoints like SIP phones and IADs always use SIP authentication! use quality passwords.
- If you have a competent Session Border Controller like the Acme Packet OS-C system, you can blacklist devices after they fail a few REGISTER attempts.
- If you're using non-registering SIP (such as SIP peerings for SIP Trunking), you should have a small number of SIP signaling IP addresses. Use firewall rules / or ACLs to block all SIP except for what comes from that small list.
- Use heavy-hitter detectors to spot SIP devices that are sending more-than-normal traffic loads, and alarm your staff.