BCP - SIPVicious Protection

Revision History
Version
520-0052-00

Author
Patrick Manor

Description of Changes
Initial Release

Date Revision
Completed
01-24-2011

Copyright 2010 Acme Packet, Inc. All Rights Reserved.

Status of this memo

Acme Packet Best Current Practices are working documents of the Professional Services department of
Acme Packet, Inc. Note that other groups may also distribute working documents as Best Current Practices.
Best Current Practices are working documents valid until explicitly obsoleted, and may be updated, replaced
or obsoleted by other documents at any time. It is recommended to use Best Current Practice as reference
material as well as to cite them in other works in progress.

Abstract
The use of the RFC 2119 keywords is an attempt to assign the correct requirement levels ("MUST",
"SHOULD", "MAY", etc.).
Distributed Denial of Service (DDoS) attacks are a legitimate threat to Voice over IP (VoIP) networks and
may severely impact the stability and performance of unprotected VoIP networks. These attacks may or may
not be malicious, however they should not affect the operation of current trusted users adversely. SIPVicious
is a free suite of tools which can be used to audit SIP networks. The suite consists of tools to find SIP
devices, identify extensions of SIP PBXs, and crack passwords used in authentication. Although it is meant
as a tool to help network administrators verify the security of their networks, it can also be used maliciously
to either steal VoIP services or to render VoIP devices useless by consuming processing resources. Ideally,
the SD should drop all SIP messages from the offending IP address and not used CPU resources processing
these messages.

This document outlines configuration recommendations to be employed on the Acme Packet Session
Director (SD) to reduce the negative effects of these tools when targeting the SD. These configuration
techniques will reduce the impact of these attacks and help maintain a high level of service for legitimate,
trusted users.

Best Current Practices should be used when either (a) deploying a new SD, or (b) updating existing
configuration implemented before this document was available. When in conflict with Customer
requirements or desires, the Customers preference SHOULD take precedence.

Applicability
This document is applicable to NN3000 and NN4000 Session Directors.

Best Current Practice

SIPVicious Protection

January 2011

Contents
1

4
5
6
7

Introduction ............................................................................................................................................... 3
1.1
OVERVIEW ...........................................................................................................................................................3
1.2
INTENDED AUDIENCE ...........................................................................................................................................3
SIPVicious Protection ............................................................................................................................... 4
2.1
GOALS ..................................................................................................................................................................4
2.2
SIPVICIOUS FRIENDLY-SCANNER ATTACKS .....................................................................................................4
Recommendations .................................................................................................................................... 5
3.1
ACCESS ENVIRONMENTS ......................................................................................................................................5
3.1.1
SIP Manipulation Rule ................................................................................................................................6
3.1.2
Deny Offending User using DDoS Configuration .......................................................................................9
3.2
PEERING ENVIRONMENTS ................................................................................................................................... 11
Normative References ............................................................................................................................ 12
Authors Address .................................................................................................................................... 13
Disclaimer ................................................................................................................................................ 14
Full Copyright Statement ....................................................................................................................... 15

Acronyms and Definitions

DDoS:

Distributed Denial of Service

SD:

Acme Packet Net-Net Session Director

VoIP:

Voice over IP

HA:

High Availability

BCP:

Best Current Practices

HMR:

Header Manipulation Rule

ACL:

Access Control List

520-0052-00

Acme Packet Proprietary and Confidential

Page 2 of 15

Best Current Practice

1.1

SIPVicious Protection

January 2011

Introduction

Overview

This document is designed to provide configuration recommendations to combat possible malicious attacks
by the test suite SIPVicious or similar SIP tools. Several methods will be discussed as not all solutions may
be acceptable in all customer environments. The goal is to drop all packets from these devices without
responding. This is not possible in all cases, but configurations will be recommended to reduce the impact of
a SIPVicious attack on CPU resources and allow uninterrupted service to known trusted endpoints.

1.2

Intended Audience

This document is intended for use by Acme Packet Systems Engineers, third party Systems Integrators, and
end users of the Session Director. It assumes that the reader is familiar with basic operations of the Session
Director, and has attended the following training course(s) (or has equivalent experience):
EDU-CAB-C-CLI: Net-Net 3000/4000 Configuration Basics
EDU-ADV-OE: Net-Net Advanced Configuration

520-0052-00

Acme Packet Proprietary and Confidential

Page 3 of 15

Best Current Practice

2.1

SIPVicious Protection

January 2011

SIPVicious Protection

Goals
Provide configuration recommendations which will drop all SIPVicious friendly-scanner
messages without responding to the sender.
Provide configuration recommendations that will limit similar SIP Registration attacks that
cannot be identified as a SIPVicious scan.
It is not a goal to provide actual parameter values for DDoS configuration in this document,
only to illustrate which parameters should be modified.

2.2

SIPVicious friendly-scanner Attacks

SIPVicious is a free suite that provides tools to scan IP addresses looking for SIP devices, help identify
active PBX extensions, as well as provide a mechanism to crack passwords for SIP PBX users.
For this document, we will focus on the svcrack tool which floods a high rate of SIP registrations to the SD.
This is sometimes referred to as the friendly-scanner attack as the tool populates its User-Agent header
field with friendly-scanner. svcrack sends many SIP registrations with various credentials to try to
determine the password for a particular user. This tool creates a large amount of untrusted traffic which is
sent to the SD and can consume all CPU resources if DDoS settings are not correctly configured. The SD
will also process and forward these SIP registrations at a high rate to SIP registrars. Ideally, the SD would
drop these packets and not respond to the endpoints running these scans.
While the SIPVicious scans use friendly-scanner as the default User-Agent header, more and more
instances of similar attacks using different non-identifying User-Agent names are being seen. To handle
these attacks, DDoS configuration on the SD to limit the level untrusted traffic allowed and to deny service to
endpoints making these attacks must be implemented.
The recommendations in the next section will include a method to drop any message with the User-Agent
friendly scanner, as well as a configuration method that will help reduce untrusted traffic and deny offending
endpoints.

520-0052-00

Acme Packet Proprietary and Confidential

Page 4 of 15

Best Current Practice

3.1

SIPVicious Protection

January 2011

Recommendations

Access Environments

In this document, we will focus mostly on SIP Access environments, as this issue should not be as prevalent
in SIP Peering environments.
The first method involves using configuration, including SIP manipulation rules, to drop all messages
received from a friendly-scanner without responding to the sender. This method will be successful in the
scenario where the contents of the User-Agent SIP Header field is the string: friend-scanner.
However, as noted, it is becoming more prevalent that the User-Agent header is being modified from
friendly-scanner to a more generic name such as User-Agent: Asterisk PBX. This means an attack
cannot be identified by only looking at this header. For these cases, a more intensive DDoS configuration is
required to limit the amount of untrusted bandwidth that can be consumed by these attacks, as well as deny
messages from offending endpoints after a certain threshold has been exceeded. A solution for this scenario
will be discussed below.
A general recommendation is to configure DDoS protection on the SD. Basic DDoS configuration settings
are outlined the Denial of Service Configuration Guidelines BCP [1] and the Basic DDoS Configuration for
SIP Access Environments BCP [2]. However, for the best DDoS protection, the configuration should be
customized based on the customer environment.

Below is the Access test network used to test the recommendations suggested in the next section.

SIP Realm (access)

SIP Realm (core)

Registrar

SIPVicous

172.16.101.0/24

172.16.101.0/24
.61
197.168.11.0/24
.9

SD HA Pair

.61

192.168.12.0/24

172.16.125.0/24

172.16.124.0/24
.1

.1

polycom-video-2
555-0909
.1

.1

M00
NI: .100
SIP: .100
GW: .1

M10
NI: .100
SIP: .100
GW: .1

tandberg-video-1
555-0505
.1

.10

.31

polycom-video-3
555-1010

polycom-sip-6
555-3131

520-0052-00

.1

.5

Acme Packet Proprietary and Confidential

Page 5 of 15

Best Current Practice

SIPVicious Protection

January 2011

3.1.1 SIP Manipulation Rule

In the first case described above, the SD can be configured to drop all messages that contain a User-Agent
header of friendly-scanner. One way to drop all packets sent from an endpoint running the SIPVicious
friendly-scanner is to use a combination of SIP Manipulation Rules with a dummy Session Agent.
This requires the configuration of an SIP Manipulation Rule, a dummy Session Agent, a SIP Response
Mapping, as well as modifying the ingress SIP Interface. Below is a flow diagram of how a SIP REGISTER
message with a User-Agent header of friendly-scanner will be dropped without responding to the sender.

REGISTER Message
User-Agent: friendly-scanner

Core Realm

Access Realm

Session Agent

SIP Interface

Inbound Realm
SIP Interface drop response SIP Manipulation Rule
if User-Agent: friendly-scanner

Configure options to
drop all 677
responses

Add a new Route header

"< sip:10.12.13.14;lr >"

Options
dropResponse=677

hostname
10.12.13.14
State
disabled
local-response-map 503Rogue

SIP Response Map

503Rogue
503 -> 677 (Rogue)

Map the 503

response to a new
response code
677, that can be
dropped at the
access SIP
Interface

Drop

520-0052-00

Create to dummy
address specified in
the HMR added
Route header.
Disable to create
503 response

Acme Packet Proprietary and Confidential

Page 6 of 15

Best Current Practice

SIPVicious Protection

January 2011

Elements of Configuration:
Inbound SIP Manipulation Rule:
An inbound SIP Manipulation Rule needs to be created to modify any messages that contain a User-Agent
header of friendly-scanner. The manipulation rule will add a Route header to a dummy Session Agent to
all messages with a User-Agent header that starts with friend. This manipulation will allow the resulting
message to be routed to a dummy Session Agent which will respond with a 503.

sip-manipulation
name
description
split-headers
join-headers
header-rule
name
header-name
action
comparison-type
msg-type
methods
match-value
new-value
header-rule
name
header-name
action
comparison-type
msg-type
methods
match-value
new-value
last-modified-by
last-modified-date

addRouteHdr

isScanner
User-Agent
store
pattern-rule
any
^friend.*

addNullRoute
Route
add
boolean
request
$isScanner.$0
"<sip:10.12.13.14;lr>"
admin@172.41.1.64
2010-12-09 06:41:03

The access realm-config must also be modified to assign the SIP manipulation rule defined above to be
an inbound manipulation.
realm-config
identifier
description
.
.
.
in-translationid
out-translationid
in-manipulationid
.
.

520-0052-00

access
Serving all access endpoints

addRouteHdr

Acme Packet Proprietary and Confidential

Page 7 of 15

Best Current Practice

SIPVicious Protection

January 2011

Session Agent:
A dummy Session Agent needs to be created with the state disabled. This is important so that a 503
response will be sent to any request sent to this Session Agent. The 503 response will then be mapped to a
new response code that can be easily dropped. To accomplish this, a SIP Response Mapping is created to
map any 503 from this Session Agent to a bogus 677 code. Any 677 responses can then be dropped at the
SIP Interface level without dropping any actual 503 responses. The SIP Response Mapping must be
assigned in the Session Agent as seen below.

session-agent
hostname
ip-address
port
state
app-protocol
app-type
transport-method
realm-id
.
.
.
local-response-map
.
.
.

10.12.13.14
5060
disabled
SIP
UDP
*

503Rogue

SIP Response Mapping:

A SIP Response Mapping must be configured to map 503 responses from this Session Agent to a dummy
response code (677).
response-map
last-modified-by
last-modified-date
name
entries

admin@console
2010-12-03 00:57:50
503Rogue
503 -> 677 (Rogue)

SIP Interface:
All SIP interfaces that receive messages from a SIPVicious friendly-scanner require the option
dropResponse=677 to drop all 677 responses received from the dummy Session Agent.
sip-interface
state
realm-id
.
.
.
options
.
.
.

520-0052-00

enabled
access

dropResponse=677

Acme Packet Proprietary and Confidential

Page 8 of 15

Best Current Practice

SIPVicious Protection

January 2011

3.1.2 Deny Offending User using DDoS Configuration

Another method of protection is to configure DDoS protection on the SD to deny endpoints sending
SIPVicious or other similar attacks. To accomplish this, the access-control-trust-level on the
access realm-config must be configured to low, to allow an untrusted user to be demoted to deny. With
this configured, the untrusted-signal-threshold parameter can then be configured to define the
threshold of SIP messages that may be received in the tolerance-window before an untrusted user will
be demoted to denied. This number should be set to a value that is greater than the number of messages
required by an untrusted endpoint to become trusted. When this threshold is exceeded, the endpoint will be
placed on the denied list for the amount of time defined in the deny-period. This period should be
determined based on the customers needs.
Note: The following parameter should be customize to the customers needs, base on expected call flows
and desired denial periods.
untrusted-signal-threshold
maximum-signal-threshold
deny-period

realm-config
identifier
description
.
.
.
access-control-trust-level
invalid-signal-threshold
maximum-signal-threshold
untrusted-signal-threshold
nat-trust-threshold
deny-period
.
.
.

access
Serving all access endpoints

low
1
4000
5
0
120

The following are media-manager configurations taken from the Basic DDoS Configuration for SIP Access
Environments BCP [2]. These values are for a NN4500 with CPU-1. The max-untrusted-signaling
parameter will limit the amount of untrusted traffic the SD will process.

520-0052-00

Acme Packet Proprietary and Confidential

Page 9 of 15

Best Current Practice

SIPVicious Protection

media-manager
state
.
.
.
max-signaling-bandwidth
max-untrusted-signaling
min-untrusted-signaling
app-signaling-bandwidth
tolerance-window
.
.
.

520-0052-00

January 2011

enabled

1152580
14
13
0
30

Acme Packet Proprietary and Confidential

Page 10 of 15

Best Current Practice

3.2

SIPVicious Protection

January 2011

Peering Environments

As noted earlier, this document will not focus much on SIPVicious attacks in SIP Peering Environments. In
these environments it is recommended to create static ACLs with a trust-level of high for all trusted peers.
The realm-config access-control-trust-level should also be set to high so that all traffic from
any endpoint that does not have an ACL will be denied.

realm-config
identifier
description
.
.
.
access-control-trust-level
.
.
.

access-control
realm-id
description
source-address
destination-address
application-protocol
transport-protocol
access
average-rate-limit
trust-level

520-0052-00

peer

high

peer
172.16.101.6
197.168.11.100
ALL
permit
0
high

Acme Packet Proprietary and Confidential

Page 11 of 15

Best Current Practice

SIPVicious Protection

January 2011

Normative References

[1] Acme Packet, BCP Denial of Service Configuration Guidelines, 520-0015-00, Jul 2006.
[2] Acme Packet, BCP Basic DDoS Configuration for SIP Access Environments, 520-0051-00, Jan 2011.

520-0052-00

Acme Packet Proprietary and Confidential

Page 12 of 15

Best Current Practice

SIPVicious Protection

January 2011

Authors Address

Patrick Manor
Acme Packet, Inc.
100 Crosby Dr
Bedford, MA 01730
email: pmanor@acmepacket.com

520-0052-00

Acme Packet Proprietary and Confidential

Page 13 of 15

Best Current Practice

SIPVicious Protection

January 2011

Disclaimer

The content in this document is for informational purposes only and is subject to change by Acme Packet
without notice. While reasonable efforts have been made in the preparation of this publication to assure its
accuracy, Acme Packet assumes no liability resulting from technical or editorial errors or omissions, or for
any damages resulting from the use of this information. Unless specifically included in a written agreement
with Acme Packet, Acme Packet has no obligation to develop or deliver any future release or upgrade or any
feature, enhancement or function.

520-0052-00

Acme Packet Proprietary and Confidential

Page 14 of 15

Best Current Practice

SIPVicious Protection

January 2011

Full Copyright Statement

Copyright @ Acme Packet (2010). All rights reserved. Acme Packet, Session-Aware Networking, Net-Net
and related marks are trademarks of Acme Packet. All other brand names are trademarks or registered
trademarks of their respective companies.
This document and translations of it may be copied and furnished to others, and derivative works that
comment on or otherwise explain it or assist in its implantation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice,
disclaimer, and this paragraph are included on all such copies and derivative works. However, this document
itself may not be modified in any way, such as by removing the copyright notice or references to Acme
Packet or other referenced organizations, except as needed for the purpose of developing open standards.
The limited permission granted above are perpetual and will not be revoked by Acme Packet or its
successors or assigns.
This document and the information contained herein is provided on an AS IS basis and ACME PACKET
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
WARRANTY THAT THE USE FO THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

520-0052-00

Acme Packet Proprietary and Confidential

Page 15 of 15