SIP scanning going on again, probably related to
Security advisory: suspected telephone misuse in fritzbox systems.
My Internet provider xs4all uses fritz!box devices by default and I already
heard about one case of abuse.
The SIP scan in tshark:
Frame 376 (457 bytes on wire, 457 bytes captured)
Arrival Time: Feb 5, 2014 18:00:07.447662000
[Time delta from previous captured frame: 36.927214000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 6100.139111000 seconds]
Frame Number: 376
Frame Length: 457 bytes
Capture Length: 457 bytes
[Frame is marked: False]
[Protocols in frame: sll:ip:udp:sip]
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 512
Link-layer address length: 0
Source: <MISSING>
Protocol: IP (0x0800)
Internet Protocol, Src: 188.138.41.34 (188.138.41.34), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 441
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 53
Protocol: UDP (0x11)
Header checksum: 0x475e [correct]
[Good: True]
[Bad : False]
Source: 188.138.41.34 (188.138.41.34)
Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
User Datagram Protocol, Src Port: 5079 (5079), Dst Port: sip (5060)
Source port: 5079 (5079)
Destination port: sip (5060)
Length: 421
Checksum: 0xc761 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Session Initiation Protocol
Request-Line: OPTIONS sip:100@xxx.xxx.xxx.xxx SIP/2.0
Method: OPTIONS
[Resent Packet: False]
Message Header
Via: SIP/2.0/UDP 62.75.212.215:5079;branch=z9hG4bK-1039150734;rport
Transport: UDP
Sent-by Address: 62.75.212.215
Sent-by port: 5079
Branch: z9hG4bK-1039150734
RPort: rport
Content-Length: 0
From: "sipvicious"<sip:100@1.1.1.1>;tag=3532356663346361313363340132393433303934303439
SIP Display info: "sipvicious"
SIP from address: sip:100@1.1.1.1
SIP tag: 3532356663346361313363340132393433303934303439
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"<sip:100@1.1.1.1>
SIP Display info: "sipvicious"
SIP to address: sip:100@1.1.1.1
Contact: sip:100@62.75.212.215:5079
Contact Binding: sip:100@62.75.212.215:5079
URI: sip:100@62.75.212.215:5079\r
SIP contact address: sip:100@62.75.212.215:5079\r
CSeq: 1 OPTIONS
Sequence Number: 1
Method: OPTIONS
Call-ID: 37933976157019277147119
Max-Forwards: 70
Source IPv4 was 188.138.41.34, Plusserver AG.
Interesting pointer at IPv4 address 62.75.212.215, a different IPv4 range at
Plusserver AG.