SIP scanning going on again, probably related to Security advisory: suspected telephone misuse in fritzbox systems. My Internet provider xs4all uses fritz!box devices by default and I already heard about one case of abuse. The SIP scan in tshark:Frame 376 (457 bytes on wire, 457 bytes captured) Arrival Time: Feb 5, 2014 18:00:07.447662000 [Time delta from previous captured frame: 36.927214000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 6100.139111000 seconds] Frame Number: 376 Frame Length: 457 bytes Capture Length: 457 bytes [Frame is marked: False] [Protocols in frame: sll:ip:udp:sip] Linux cooked capture Packet type: Unicast to us (0) Link-layer address type: 512 Link-layer address length: 0 Source: <MISSING> Protocol: IP (0x0800) Internet Protocol, Src: 188.138.41.34 (188.138.41.34), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 441 Identification: 0x0000 (0) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 53 Protocol: UDP (0x11) Header checksum: 0x475e [correct] [Good: True] [Bad : False] Source: 188.138.41.34 (188.138.41.34) Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) User Datagram Protocol, Src Port: 5079 (5079), Dst Port: sip (5060) Source port: 5079 (5079) Destination port: sip (5060) Length: 421 Checksum: 0xc761 [correct] [Good Checksum: True] [Bad Checksum: False] Session Initiation Protocol Request-Line: OPTIONS sip:100@xxx.xxx.xxx.xxx SIP/2.0 Method: OPTIONS [Resent Packet: False] Message Header Via: SIP/2.0/UDP 62.75.212.215:5079;branch=z9hG4bK-1039150734;rport Transport: UDP Sent-by Address: 62.75.212.215 Sent-by port: 5079 Branch: z9hG4bK-1039150734 RPort: rport Content-Length: 0 From: "sipvicious"<sip:100@1.1.1.1>;tag=3532356663346361313363340132393433303934303439 SIP Display info: "sipvicious" SIP from address: sip:100@1.1.1.1 SIP tag: 3532356663346361313363340132393433303934303439 Accept: application/sdp User-Agent: friendly-scanner To: "sipvicious"<sip:100@1.1.1.1> SIP Display info: "sipvicious" SIP to address: sip:100@1.1.1.1 Contact: sip:100@62.75.212.215:5079 Contact Binding: sip:100@62.75.212.215:5079 URI: sip:100@62.75.212.215:5079\r SIP contact address: sip:100@62.75.212.215:5079\r CSeq: 1 OPTIONS Sequence Number: 1 Method: OPTIONS Call-ID: 37933976157019277147119 Max-Forwards: 70Source IPv4 was 188.138.41.34, Plusserver AG. Interesting pointer at IPv4 address 62.75.212.215, a different IPv4 range at Plusserver AG.