Versions Compared

Version Old Version 2 New Version Current
Changes made by

James Graham

Mack Baczynski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Prevention - While the attack is frustrating, you have options to prevent it from happening by isolating the types of SIP traffic you are receiving. Isolation can occur at your ISP, Firewall/router, or phone. The options below highlight your options depending on your configuration.

Info

If you’re using a Polycom phone, the resolution is simple, simply turn on the “VOIP Protection” setting under advanced options (Admin>Configuration>Extensions>extension in use)

...

Otherwise, please proceed with the manual option below.

  1. Identify and block attacker - This method is likely only short term due to the attackers ability to change their source IP address. However, if you're in a pinch for time and have quick access to block an IP address on your firewall or router, this will get you by.

    1. Use Wireshark or firewall logs to identify unwanted traffic on SIP port 5060 inbound.

    2. Block traffice from identified IP address

    3. Sharpen's IP ranges are subject to change. If you're troubleshooting an attacker and need to validate which IPs are safe, please reach out to SharpenCare and we can confirm the acceptable IP range to allow.

  2. Block by User-Agent

    • User-Agent identification for calls coming from the Sharpen platform will show as Fathom Voice vX.X.X. The following table shows some of the most common SIP User-Agents represented by SIP scanning tools. You can choose to block by User-Agent, or only allow specific User-Agents

sipcli

gulp

sipvicious

sipv

sip-scan

smap

sipsak

friendly-request

sundayddr

VaxIPUserAgent

friendly-scanner

VaxSIPUserAgent

iWarsip

siparmyknife

CSipSimple

Test Agent

SIVuS

3. Accept traffic from known registrar

  • Each IP phone maintains a registration to one of the many SIP registration points within the Sharpen network. Sharpen's SIP infrastructure is dynamic and redundant, which requires a non-static registration point for long term configuration. In this configuration, when a phone is booted, it uses the registration server defined in our distributed configuration file, and then registers to it. Should the registration point change, the file is updated and the phone is updated to then register to this new SIP server. Due to this design, accepting traffic from a known registration point has to be done in a dynamic manner. Polycom and Yealink phones have configuration options available which will only accept traffic from the currently registered to SIP server. Follow the instructions below for your respective device.

    • Polycom

      1. Identify the IP address of your Polycom phone (Settings>Status>Network>TCP/IP Parameters)

      2. In a web browser, enter https://x.x.x.x (eg.. https://10.0.5.68) to navigate to your web configuration for the phone

      3. Depending on your browser, you will see a variation of a security warning. Choose to proceed to the web page

      4. Authenticate using Admin as the user, and 6311 as the password

      5. Choose Utilities>Import & Export configuration

      6. Download the requestValidation_digest_INVITE.cfg file to import

      7. Select Choose File and navigate to the downloaded file

      8. Choose Import

      9. Reboot phone

    • Yealink

      1. Identify the IP address of your Polycom phone (Press OK button on the phone from the home screen)

      2. In a web browser, enter https://x.x.x.x (eg.. https://10.0.5.68) to navigate to your web configuration for the phone

      3. Depending on your browser, you will see a variation of a security warning. Choose to proceed to the web page

      4. Authenticate using admin  admin as the user, and admin as the password

      5. Choose the Features tab

      6. Choose General Information

      7. Find the "Accept SIP Trust Server Only" parameter and set to Enabled

      8. Select Confirm

      9. Reboot phone

...

hiddentrue

...