16 Mar
2020
16 Mar
'20
4:07 p.m.
All,
Here is a sample of 2 spoofed VoIP/SIP packets. As you see, this packet appears crafted to
solicit an error message from a SIP-based VoIP server behind the tunnel. This particular
traffic came from AMPRGW; but (as I've noted) I see rogue traffic from operators as
well. Time are UTC:
20:32:32.489281 IP (tos 0x0, ttl 53, id 38790, offset 0, flags [none], proto IPIP (4),
length 450) 169.228.34.84 > 71.178.206.102: IP (tos 0x0, ttl 48, id 0, offset 0,
flags [DF], proto UDP (17), length 430) 194.55.132.250.5098 > 44.60.44.1.5060: [udp
sum ok] SIP, length: 402 INVITE sip:100@44.60.44.1 SIP/2.0 Via: SIP/2.0/UDP
127.0.0.1:5098;branch=z9hG4bK-2583203840;rport Content-Length: 0 From:
"sipvicious"<sip:100@1.1.1.1>;tag=3263336332633031313363340133333730373737313235
Accept: application/sdp User-Agent: friendly-scanner To:
"sipvicious"<sip:100@1.1.1.1> Contact: sip:100@127.0.0.1:5098 CSeq: 1
INVITE Call-ID: 1165477011722833972303821 Max-Forwards: 70 20:32:32.489429 IP (tos 0x0,
ttl 53, id 50088, offset 0, flags [none], proto IPIP (4), length 449) 169.228.34.84
> 71.178.206.102: IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto UDP (17),
length 429) 194.55.132.250.5098 > 44.60.44.2.5060: [udp sum ok] SIP, length: 401
INVITE sip:100@44.60.44.2 SIP/2.0 Via: SIP/2.0/UDP
127.0.0.1:5098;branch=z9hG4bK-3385379125;rport Content-Length: 0 From:
"sipvicious"<sip:100@1.1.1.1>;tag=3263336332633032313363340134313435373433363337
Accept: application/sdp User-Agent: friendly-scanner To:
"sipvicious"<sip:100@1.1.1.1> Contact: sip:100@127.0.0.1:5098 CSeq: 1
INVITE Call-ID: 710126403977583954741903 Max-Forwards: 70
This is a spoofed ICMP message - appearing to reject a GRE connection attempt sent from
me. It appears to be backscatter, or malicious traffic crafted to solicit my gateway to
generate rejection traffic. Obviously, I did not attempt to connect to a GRE tunnel from
my AMPRLAN IP:
18:58:42.000423 IP (tos 0x0, ttl 53, id 51481, offset 0, flags [none], proto IPIP (4),
length 596) 169.228.34.84 > 71.178.206.102: IP (tos 0x0, ttl 51, id 7873, offset 0,
flags [none], proto ICMP (1), length 576) 85.25.5.43 > 44.60.44.15: ICMP 85.25.5.43
protocol 47 unreachable, length 556 IP (tos 0x0, ttl 118, id 29947, offset 0, flags
[none], proto GRE (47), length 980) 44.60.44.15 > 85.25.5.43: GREv1, Flags [key
present, sequence# present], call 37065, seq 2146734303, length 960 unknown PPP protocol
(0x004b) 0x0000: e093 66bc 4f34 6b86 5816 3665 1b72 72fe 0x0010: d730 f8f4 384f d43c
bb45 bbcb 8eba 401f 0x0020: 9ad3 0000 0000 0000 0000 0000 0000 0001 0x0030: 0000 0002
0000 0055 1905 2b00 0000 0000 0x0040: 0000 0045 00d4 0300 0000 0080 2fcf 322c 0x0050:
3c2c 0f55 1905 2b63 5788 0b8c 7ede 28b2 0x0060: 1738 494b e05b 6643 7d17 8f7a a3d9 0064
0x0070: c6e0 1f2c 6ea0 2eb7 a42b 308d 053c 0c63 0x0080: 653e 7a9d 07d5 0000 0000 0000
0000 0000 0x0090: 0000 0001 0000 0002 0000 0055 1905 2b00 0x00a0: 0000 0000 0000 0045
00d0 0300 0000 0080 0x00b0: 2fcf 329c bf97 c455 1905 2b9f 8388 0bda 0x00c0: 7977 2dc7
9dba 024b e07a 662f e55c 1494 0x00d0: 859b 34b7 8f96 c40b 34bb cc7d 8cca 8540 0x00e0:
6d61 bae4 0e02 0248 04fc 0000 0000 0000 0x00f0: 0000 0000 0000 0001 0000 0002 0000 0055
0x0100: 1905 2b00 0000 0000 0000 0045 00fe 0300 0x0110: 0000 0080 2fcf 3247 df2a 3455
1905 2b42 0x0120: 2a88 0bc2 5a87 bb6a 47ab 5a4b e0bb 66be 0x0130: e125 53c5 d451 4d25
0eba 5d74 e3e1 e42f 0x0140: a807 1f32 f362 0cfa 1ef6 c149 517d 0000 0x0150: 0000 0000
0000 0000 0000 0001 0000 0002 0x0160: 0000 0055 1905 2b00 0000 0000 0000 0045 0x0170:
0025 0400 0000 0080 2fcf 321d 472b 3a55 0x0180: 1905 2b37 0788 0b65 68a8 3c4b 0aa1 c34b
0x0190: e0b1 6626 c14a 52d0 1af7 9040 7070 f413 0x01a0: 8769 9364 307e 0850 3dec b8e5
2983 704a 0x01b0: 4722 0000 0000 0000 0000 0000 0000 0001 0x01c0: 0000 0002 0000 0055
1905 2b00 0000 0000 0x01d0: 0000 0045 0019 0400 0000 0080 2fcf 32df 0x01e0: 4a4e 4c55
1905 2bd8 ed88 0b9f 8fab 37bf 0x01f0: dcc5 514b e0ea 6647 5a53 c1c7 ea56 63e1 0x0200:
6577 a7
Again, only IPs listed in the DNS zone were attempted.
73,
- Lynwood
KB3VWG