[asterisk-users] Decoding SIP register hack

Daniel Tryba daniel at tryba.nl
Thu May 17 15:47:07 CDT 2018

On Thu, May 17, 2018 at 12:27:17PM -0400, sean darcy wrote:
> >		WARNING.* .*: fail2ban='<HOST>'
> >
> ># Option:  ignoreregex
> ># Notes.:  regex to ignore. If this regex matches, the line is ignored.
> ># Values:  TEXT
> >#
> >ignoreregex =
> >
> >
> Thanks. Very useful as a tutorial for fail2ban.
> But I don't think it covers this SIP hack. This guy isn't trying to
> register.

His filter doesn't only trigger on REGISTERs, see the last line of the
matches and the context for guests (which logs the pattern of the last
line of the filter on an INVITE).

>  That why I find it puzzling. What is he trying to do ?

There are sip servers publicly reachable that will relay INVITEs, make
sure yours aren't. And there are only 2 kinds of operators of sip
-those that have been the victim of toll fraud
-those that will be the victim of toll fraud

You can do nothing to stop this kind of traffic. The only thing you can
do is block it, either using only a whitelist (cumbersome) or generate a
blacklist with for example fail2ban or a more elaborate honeypot setup.
Or setup a proxy that will filter patterns you discover from 

BTW this is not a person, this is an automated script, running most
likely on compromised machines and sending spoofed ips. These scripts
care about generating a ring on a phone (again most an abuseable/hacked
account (or purchased with CC fraud)). If they find a server that does,
it will be targetted for all kind of fraud.

More information about the asterisk-users mailing list