Hi,
I have been running a couple of Asterisk honey pots to get a better understanding of the tools and methods potential hackers are using to exploit SIP servers.
I have observed many attacks from the 'sipcli' user agent that don't send ACKs.
At this stage I'm not sure what they're trying to achieve, whether it's a successful call to one of their test numbers, or maybe they will brute force anything that returns a 401 later, or maybe they're waiting for a 18X response.
Below are three typical scenarios-
------ INVITE ------ >
<--- 100 Trying ---
<----- 200 OK -----
<----- 200 OK -----
<----- 200 OK -----
( No ACK)
------ INVITE ------ >
<-------- 503 --------
<-------- 503 --------
<-------- 503 --------
( No ACK)
------ INVITE ------ >
<-------- 401 --------
<-------- 401 --------
<-------- 401 --------
( No ACK)
Please could anyone point me in the right direction to detect these non completed calls with a missing ACK in Kamailio? I am unsure on the terminology I should be using to search the online documentation.
Thanks