Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Canada Calling - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Canada Calling

A reader wrote in to ask about the uptick in port 5060 activity (visible here:

Looking at my own sensors, I saw the traffic yesterday for about an hour as an IP address out of Canada swept through my network with packets destined for UDP/5060.  These were SIP requests searching for an open VoIP system. 

UDP packets can be spoofed, but this appears to be scanning activity so the attacker is going to expect a reply, so I'm fairly confident that the source IP is legitimate.  This activity is likely tied to recent criminal enterprises intent on compromising vulnerable VoIP systems that can be later used to distribute vishing messages or even host vishing sites.

Kevin Liston

292 Posts
ISC Handler
Feb 13th 2009

Sign Up for Free or Log In to start participating in the conversation!