Tools / Security / Vol II

SIP Attack-Tool Fingerprint Recognizer

Paste a single SIP request from a packet capture or SBC log and the recognizer matches it against the well-known signatures of SIP scanning, brute-force, TDoS, and legitimate testing tools — SIPVicious, sipsak, sipcli, Mr.SIP, sundayddr, SIPp, pjsua, Asterisk, FreeSWITCH. It scores User-Agent strings plus behavioral markers (Via branch format, Call-ID shape, From-tag length) so a spoofed User-Agent still gets caught.

Everything runs in your browser. The text you paste is never sent to any server — no network requests, no logging.

How fingerprinting works

User-Agent is the cheap signal

Many scanners and dialers leave a default User-Agent — friendly-scanner, sipcli/v, sipsak, Mr.SIP. Blocking on User-Agent alone catches the lazy ones. The recognizer scores User-Agent matches highest (80–100) but never relies on them alone.

Branch + From-tag + Call-ID shape

Tools generate transaction IDs with characteristic shapes — SIPVicious classic uses a tiny z9hG4bK-NNNN branch, a 10-hex-char From tag, and a Call-ID that's a Unix timestamp followed by a hash. sipsak uses z9hG4bK. with a dot. Forks that spoof the User-Agent often forget to update these — so behavioral markers catch the spoofers.

SIPVicious family

Sandro Gauci's original SIPVicious bundles svmap (host discovery), svwar (extension enumeration), and svcrack (password guessing). The default friendly-scanner User-Agent is still the highest-volume SIP scan banner on the internet. SIPVicious-PRO is the modern commercial fork — same signature heritage, different defaults.

sipcli — phone-bill drainer

sipcli ships as a Windows command-line dialer that's become the go-to for international revenue-share fraud (IRSF) — bot operator finds an open SIP trunk, dials premium-rate destinations all night. User-Agent sipcli/v1.8 or similar; INVITE-only; CSeq counter increments rapidly across calls.

Legitimate tools also show up

SIPp, pjsua, Asterisk, FreeSWITCH, and modern carrier SBCs all leave recognizable User-Agents too. The recognizer flags these with an info tone instead of a threat tone — you can still see the signature, but the verdict reads "legitimate SIP testing / signaling stack."

Defense in depth

fail2ban regexes against User-Agent: friendly-scanner still block enormous chunks of scan traffic at near-zero cost. Combine with: SBC rate-limit (max INVITEs/sec per source), geo-blocklist, denial of REGISTER from sources outside known dialer ranges, and a real authentication policy (long random passwords, account lockout, SHA-256 digest). The recognizer's Defensive notes section above lists specific rules per tool.

What the verdict tones mean

Threat = a known scanner/brute-forcer/TDoS tool; source should be in your blocklist. Caution = dual-use (testing tools that can be repurposed) or partial match; review the markers below. Info = legitimate signaling stack — Asterisk, FreeSWITCH, an SBC. Unknown = nothing distinctive matched; could be a competent attacker, a SIP stack the recognizer doesn't know yet, or just a legitimate UA without a recognizable User-Agent.

Vol II: Securing VoIP

Volume II of The VoIP Engineer's Library walks the attack tree this tool detects against — recon, registration brute force, INVITE flood, TDoS, IRSF — and the defenses that hold up: hardened SBC config, fail2ban rule sets, auth policy, and topology choices that minimize attack surface.