Brekeke Documents

Find user guides, developer guides, API references, tutorials, and more!

Brekeke SIP Server Wiki

  1. Brekeke SIP Server Basic Info
  2. Security
  3. Update & Upgrade
  4. Configuration
    1. Installation
    2. Basic Setup
    3. BSS Administration Tool
    4. Network Configuration
    5. Dial Plan
    6. Block List
      1. Block List Settings
      2. Block List Filtering Policy
      3. Blocked IP Address
      4. Blocked User Name
      5. Blocked IP Address (Web Access)
      6. Honeypot
    7. Provisioning
    8. Push Notification
    9. SDN
    10. STIR/SHAKEN
    11. Advanced Edition
    12. Other Functions
    13. Third-Party Database
    14. Environment Variables
  5. Troubleshooting
  6. Developer's Guide
  7. Version History

Honeypot

Add following rules to Brekeke SIP Server admintool > [Dial Plan] > [Preliminary] page, you can set up a SIP Honeypot (as “VoIP Honeypot”) to avoid malicious activities such as SPIT (SPam over Internet Telephony), TDoS (Telephony Denial-Of-Service), fuzzing and War dialing.

With the “$action = block” in Deploy Patterns, Brekeke SIP Server blocks matched incoming SIP requests and adds their source IP addresses in the Blocked IP Address database.

 

Example-1:

In this example, we use “100” as a honeypot’s dummy user name. If there is a SIP request to “100”, the request will be considered as an attack.

---------------------
[Matching Patterns]
To = sip:100@

[Deploy Patterns]
$action = block
---------------------

 

Example-2:

Block a SIP request if User-Agent header indicates “Attacking Tool” .

---------------------
[Matching Patterns]
$str.lowercase(User-Agent) = attacking tool

[Deploy Patterns]
$action = block
---------------------

 

Example-3:

Block a SIP request if it was sent from the outside of the 10.1.1.0 – 10.1.2.0 address range.

---------------------
[Matching Patternsns]
$addrRange( "10.1.1.0", "10.1.2.0" )  = false

[Deploy Patterns]
$action = block
---------------------

 

Example-4:

Block a SIP request if it is an OPTIONS sent from a global IP address.

---------------------
[Matching Patternsns]
$request = ^OPTIONS
$globaladdr($addr) = true

[Deploy Patterns]
$action = block
---------------------

 

Example-5:

Block a SIP request if REGISTER doesn’t have 4 digits username.
It means the SIP server accepts 4 digits username only.

---------------------
[Matching Patternsns]
$request = ^REGISTER
To = !sip:[0-9][0-9][0-9][0-9]@

[Deploy Patterns]
$action = block
---------------------

 

Example-6:

Block a SIP INVITE request if a dialed number is starting from 011. An attacker will try to call an international number with the prefix 011.

---------------------
[Matching Patternsns]
$request = ^INVITE
To = sip:011.+@

[Deploy Patterns]
$action = block
---------------------

 

Example-7:

Block SIP packets if the transport is not TLS.

---------------------
[Matching Patternsns]
$transport = !TLS

[Deploy Patterns]
$action = block
---------------------

 

Example-8:

Block SIP packets sent from Nmap

---------------------
[Matching Patternsns]
$request = ^OPTIONS
From = sip:nm@nm
To = sip:nm2@nm2
Call-ID = 50000

[Deploy Patterns]
$action = block
---------------------
Yes No
« Blocked IP Address (Web Access) Provisioning »
Suggest Edit