Advanced Threat Detection
Sipprot deals with the packets as they come and not by looking at a log file.Brute-force break-in attempts are quite frequent and an unpredictable threat. Unprotected VOIP PBX systems are very sensitive to this kind of attack. The most common consequence of this kind of network attack are:
- VOIP service downtime
- Call quality issues due to an overloaded network
- Direct financial loss due to network instability
SIP Packet Inspection
Unlike other similar solutions, sipPROT works with LIVE SIP traffic, constantly monitoring SIP packets being received. Potential attacks are instantly detected and sipPROT updates the firewall rules and blocks IP addresses from which the attack is coming, for a specific amount of time.
SIP Attack Detection Techniques
To detect SIP attacks, sipPROT uses the following advanced detection techniques:
- SIP scanner recognition
- Brute force detection
Dynamic Blocking / Unblocking of IP addresses
sipPROT features fully automated attack protection system which block attacks more efficiently than most other solutions. In case of attack it updates the firewall rules and blocks IP addresses from which the attack is coming, for a specific amount of time. If attacks stop in a certain period of time, sipPROT unblocks compromised IP addresses automatically.
Auto Provisioning Attack Detection
Auto provisioning service is generally considered one of the most vulnerable spots of a SIP system. sipPROT covers this segment as well through the integrated TFTP Brute Force attack detection.An active attacker can redirect profile provisioning reqest and change the configuration parameters. Then attacker can redirect phone calls through a malicious server,change passwords, turn the phone into a bug, and exfiltrate system logs (including those numbers dialed by the user)
One Step Ahead
Our security engineers are constantly developing new and improved ways of protecting your VOIP system from potential threats. We like to stay one steps ahead of hackers.
Protect your PBXware from attackers. SipPROT helps prevent huge financial losses, wasted time and customer churn.
SIP attacks are more often than not directed to exploit weak spots in your SIP network and enable 3rd party to make free calls using your resources. Protect the financial investments you made in purchasing and maintaining your system.
Better customer service
Provide ever improving service to your customers by preventing downtime, call quality issues and potential financial implications, which could be caused by attacks.
System up-time increase
Attacks can significantly reduce your system stability and uptime. Ensure that your system is up and running 99.999% of the time, providing flawless service to your customers.
Improved system performance
Prevent severe system performance issues and call quality losses potentially caused by the SIP network attacks and break in attempts.
Strengthen overall security
Telephony systems are generally one of the least protected segments of your network. Make sure you secure it. By doing so it will significantly improve overall security of the entire company network.
List of IP addresses that will not be blocked by sipPROT at no circumstances. IP addresses in the whitelist are added manually by administrator.
List of IP addresses that will always be blocked by sipPROT. IP addresses in the blacklist are added either manually, by administrator, or automatically by sipPROT, depending on what is set up in sipprot.conf configuration file.
Dynamic Blacklist Management
sipPROT will temporary put and IP address to the dynamic blacklist in case it unsuccessfully tries to register to PBXware multiple times in short time span. After predefined period expires IP address will be removed from the dynamic blacklist automatically.
SIP Register Protection
SIP REGISTER protection dynamically blocks an IP address if a number of bad SIP registration exceeds the configured threshold (hit_count) within a given monitoring period (monit_period). The block_threshold config parameter defines how many times an IP address will be dynamically blocked before it is added to the static blacklist.
SIP Invite Protection
SIP INVITE rate limitation does not fully protect against a SIP INVITE attack but just mitigate DoS attack impact. When a number of simultaneous SIP INVITEs exceeds configured limit a notification will be sent to the system administrator. It is up to the system administrator to decide weather to permanently add source IP address to black list or to increase rate_limit if INVITES are coming from a known IP address.
SIP Scanners Protection
Entering sip scanner user-agent in sipprot.conf will block any requests sent by those scanners. NOTE: Try to make list of scanners as short as possible as long list could affect overall system performance.
TFTP protection allows you to protect your server against TFTP brute force attacks, using rate limit. In an example of default settings, if SIPprot detects more than 100 TFTP request from a single IP in one minute, the further requests from that IP will be limited at 10/minute.
Bicom Systems Wiki
Visit Downloads Page