Hi, I have been running a couple of Asterisk honey pots to get a better understanding of the tools and methods potential hackers are using to exploit SIP servers.
I have observed many attacks from the 'sipcli' user agent that don't send ACKs. At this stage I'm not sure what they're trying to achieve, whether it's a successful call to one of their test numbers, or maybe they will brute force anything that returns a 401 later, or maybe they're waiting for a 18X response. Below are three typical scenarios- ------ INVITE ------ > <--- 100 Trying --- <----- 200 OK ----- <----- 200 OK ----- <----- 200 OK ----- ( No ACK) ------ INVITE ------ > <-------- 503 -------- <-------- 503 -------- <-------- 503 -------- ( No ACK) ------ INVITE ------ > <-------- 401 -------- <-------- 401 -------- <-------- 401 -------- ( No ACK) Please could anyone point me in the right direction to detect these non completed calls with a missing ACK in Kamailio? I am unsure on the terminology I should be using to search the online documentation. Thanks
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
