Analysis of SIP-Based Threats Using a VoIP Honeynet System

Current security issues like service misuse and fraud are well-known problems of SIP-based networks. To design and evolve effective countermeasures, it is important to know how these attacks are launched in reality. For gathering the required data, a specialized SIP Honeynet System has been implemented and operated since December 2009 which has recorded over 47.5 million SIP messages in total. Over time, based on our Honeypot experiences, we developed essential improvements such as global monitoring of whole subnets, clustering of SIP messages or bidirectional SIP message correlation. In this paper, we first describe these system extensions and demonstrate their benefits. Then we provide an analysis of gathered data which goes beyond pure statistical packet analysis. We identify, analyze and correlate the distinct phases of typical multistage attacks and also provide an example of a full attack sequence resulting in attempts to make Toll Fraud calls via a hijacked SIP account.