An Introduction to the Simwood SIP Honeypots

Simon Woodhead

Simon Woodhead

1st September 2011

Last week we introduced you to our Darknet which is doing an excellent job in identifying sources and types of general dirty traffic on the Internet to feed into our Security Services. Honeypots are another critical component.

What is a Honeypot?

A Honeypot is a system configured to look and behave like a production service, in this case a SIP proxy, for the purposes of capturing data on attempted security intrusions, their perpetrators and methods. They are also typically made easier to compromise than production equipment in order to focus attention.

Our SIP Honeypots

Our Honeypots sit amongst our production gateways and proxies and look identical to an attacker. Genuine customers configured correctly will never come into contact with them but anyone scanning the Simwood Network for SIP vulnerabilities will. They are configured to be compromised with very easy to guess passwords and when compromised will appear to complete any attempted calls. At every stage all network traffic is captured and any audio passed is recorded, both for the purposes of law enforcement and analysis.

A major motivation for us moving into the security space was the level of dictionary REGISTER attempts we saw against production SIP equipment – 10-20 events per day each of several thousand user/password combinations per production machine. They were pretty easy to notice.

In analysing Honeypot traffic we have firstly ignored traffic from mal-configured customers – whilst only a handful of addresses are involved, these substantially skew the results so have been removed. Further, we’re looking at a Honeypot which sits behind our IP Reputation and DDoS stack. Together these have all but eliminated the dictionary REGISTER attempts on the production network by blocking known offenders before they enter the network. The primary goal of the Honeypot is to identify new potential offenders and feed the data into the other systems to prevent mischief in the future. Finally, we’re interested only in SIP traffic here – general dirty noise is left to the Darknet to observe.


Darknet events over 24 hours

In contrast to the Darknet where we were amazed at the scale of bad traffic (see above), the first lesson from the Honeypots is that the devil is in the detail. Stripping out all the known offenders and noise we’re left with a fairly unspectactular level of traffic but one which makes interesting reading. Below is a snapshot of our real-time map of sources for the last 24 hours – you’ll note there’s relatively few.

Honeypot SIP events after filtering noise

Generally speaking these all originate from dedicated server / VPS providers who we’ll refrain from naming and shaming just yet. Mostly a single IP address is involved but in some cases we’ve seen over recent weeks a few are involved, all generally on the same subnet from the same provider for the same ‘attack’. As dedicated servers require contracts, payments and configuration we generally expect these IP addresses to hang around a little bit longer than the average botnet participant for example.

The other observation is that this traffic would be all but undetectable on a production system. We used to think the REGISTER scans were the attempted intrusion but it is apparent that these are some way through the process and the brute-force types mentioned above are the exception.

Typically a scan will start with a single OPTIONS request – just one! That is a single request which appears to determine the succession of the attack. On equipment which does not respond the scanner moves on and that one request is all we hear of them. On equipment which does respond we’ll subsequently see one of two things, often both –  REGISTER attempts and INVITEs. Generally these are at a low level and suggest two different kinds of attacker, the former using a scanner such as SIPVicious, the latter involving more human intervention through eyeBeam or similar. In both cases these can be several hours after the successful OPTIONS request.

We’ll be monitoring at both the IP level and the telephony level and reporting going forwards. Meanwhile the key takeaway here is that SIP based attacks are not all brute force and obvious. They start with an imperceptible level of traffic but that is sufficient for the Honeypot to capture them and feed the findings through to our IP Reputation solution to protect our customers and ourselves from subsequent mis-behaviour.




Related posts