Guidelines
The Poly Phones Knowledge Base is live! We look forward to helping you with common issues and troubleshooting advice!
Locked

‎10-24-2014 09:53 AM

HP Recommended

SIPVicious and similar tools are claimed to be used to audit SIP based VoIP systems.

 

Whilst this is a legitimate usage most of the time they are used to brute force SIP servers or phones and then utilize the found information for toll fraud.

 

Polycom phones from factory can simply receive invites to their IP address and therefore ring once such INVITE is progressed.

 

Below Example shows such call to the IP of the Phone in Wireshark:

 

image 

 

Or via the Phone logs (log.level.change.sip="0" log.render.level="0"):

 

1024152724|sip  |0|03|<<<Packet Received
1024152724|sip  |0|03|    INVITE sip:1414160845@10.252.149.102 SIP/2.0
1024152724|sip  |0|03|Via: SIP/2.0/UDP 10.20.30.40;branch=z9hG4bK13579926;rport
1024152724|sip  |0|03|From: "Call 1" <sip:1414160845@10.20.30.40>;tag=as370e68ea
1024152724|sip  |0|03|To: <sip:3100@10.252.149.102>
1024152724|sip  |0|03|CSeq: 1 INVITE
1024152724|sip  |0|03|Call-ID:  1414160845@10.20.30.40:5060
1024152724|sip  |0|03|Contact: <sip:1414160845@10.20.30.40>
1024152724|sip  |0|03|Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
1024152724|sip  |0|03|User-Agent: Invite and Cancel Perl Script
1024152724|sip  |0|03|Accept-Language: en
1024152724|sip  |0|03|Supported: 100rel,replaces
1024152724|sip  |0|03|Allow-Events: talk,hold,conference
1024152724|sip  |0|03|Max-
1024152724|sip  |0|03|    Forwards: 70
1024152724|sip  |0|03|Content-Type: application/sdp

In the above example, a fictitious IP address of 10.20.30.40 was used.

 

Option 1:

 

A simple below configuration parameter should stop most anonymous calls and require that the INVITE is sent to the specific user in the registration.

<web voIpProt.SIP.strictUserValidation="1"/>

A phone is registered as 555@example.com

 

Only calls sent to 555@example.com in the request URI will ring.

 

Calls to unregistered lines like anonymous@example.com, 1000@example.com, or example.com will all be dropped

 

Option 2:

 

In order to add additional security the Admin Guides matching the currently used Software Version document the Incoming Signaling Validation.

 

You can choose from three optional levels of security for validating incoming network signaling:

 

  • Source IP address validation
  • Digest authentication
  • Source IP address validation and digest authentication

In the below configuration we choose to utilize the Source IP address validation:

 

 

<voIpProt.SIP.requestValidation voIpProt.SIP.requestValidation.1.method="source" voIpProt.SIP.requestValidation.1.request="INVITE" />

 

An incoming call that does not match the reg.1.server.1.address="" Value will receive a 400 Bad Request SIP Message from the phone.

 

Wireshark:

 

image

 

Or via the Phone logs (log.level.change.sip="0" log.render.level="0"):

 

1024153153|sip  |0|03|>>> Data Send to 10.20.30.40:5060
1024153153|sip  |0|03|    SIP/2.0 400 Bad Request
1024153153|sip  |0|03|    Via: SIP/2.0/UDP 10.20.30.40;branch=z9hG4bK13579926;rport
1024153153|sip  |0|03|    From: "Call 1" <sip:1414161114@10.20.30.40>;tag=as370e68ea
1024153153|sip  |0|03|    To: <sip:3100@10.252.149.102>;tag=A9A4BF00-FD048511
1024153153|sip  |0|03|    CSeq: 1 INVITE
1024153153|sip  |0|03|    Call-ID: 1414161114@10.20.30.40:5060
1024153153|sip  |0|03|    User-Agent: PolycomSoundPointIP-SPIP_550-UA/4.0.4.2906
1024153153|sip  |0|03|    Accept-Language: en
1024153153|sip  |0|03|    Content-Length: 0

 

An example configuration file is attached which can be imported via the Web Interface as explained => here <= if running UC Software 4.0.0 or later or use a provisioning server as explained => here <=

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
strictUserValidation.zip
requestValidation_source.zip
Category:
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.
Didn't find what you were looking for? Ask the community
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.