VoIP Security: Hardening SIP Infrastructure Against Attacks
SIP infrastructure is one of the most actively attacked surfaces on the internet. Port 5060 UDP is probed constantly — automated scanners enumerate SIP extensions, brute-force credentials, and launch toll fraud attacks that can generate $10,000–$50,000 in carrier charges before anyone notices. This post covers concrete hardening steps that eliminate the easy attacks and make the hard ones expensive enough to be unprofitable.
Threat Model
The attacks worth defending against, roughly in order of frequency:
- Extension enumeration — SIPvicious, svwar, and similar tools send OPTIONS or REGISTER requests to every extension from 100 to 9999 looking for valid usernames via
404 Not Foundvs401 Unauthorizedresponses. - Credential brute-force — After finding valid extensions, attackers try common SIP passwords: the extension number itself,
1234,0000,secret. - REGISTER flooding — Volumetric attacks that consume CPU processing authentication challenges.
- Toll fraud — Once authenticated (or by exploiting misconfigured contexts), attackers place calls to premium-rate numbers or international destinations they monetize.
- Media injection — Inserting RTP packets into established calls to eavesdrop or disrupt.
Response Code Normalization
The cheapest fix: stop leaking information through SIP response codes. A 401 Unauthorized for a valid extension and a 403 Forbidden for an invalid one tells attackers which extensions exist. Return the same response code for both:
Kamailio
request_route {
if (is_method("REGISTER")) {
if (!www_authenticate("mydomain.com", "subscriber")) {
# Always send 401, never 403 or 404
www_challenge("mydomain.com", "1");
exit;
}
if (!save("location")) {
sl_reply_error();
exit;
}
sl_send_reply("200", "OK");
exit;
}
}
Kamailio's www_authenticate returns false for both wrong password and unknown user. The caller sees only 401 Unauthorized either way.
OpenSIPS
route {
if (is_method("REGISTER")) {
if (!www_authorize("", "subscriber")) {
www_challenge("", 0);
exit;
}
if (!save_contacts("location")) {
send_reply(500, "Internal Error");
exit;
}
}
}
Rate Limiting with pike (Kamailio)
The pike module tracks per-IP request rates and blocks sources that exceed your threshold:
loadmodule "pike.so"
modparam("pike", "sampling_time_unit", 2)
modparam("pike", "reqs_density_per_unit", 30)
modparam("pike", "remove_latency", 4)
request_route {
if (!pike_check_req()) {
xlog("L_WARN", "Pike blocked $si:$sp - $rm\n");
exit;
}
# ... rest of routing
}
This blocks any IP sending more than 30 SIP requests per 2-second window. Legitimate SIP endpoints send a few REGISTER and OPTIONS per minute. An enumeration tool sends hundreds per second.
fail2ban Integration
fail2ban reads log files and adds iptables rules to block offending IPs. Configure it to watch Kamailio or Asterisk logs:
# /etc/fail2ban/filter.d/kamailio.conf
[Definition]
failregex = .*\[<HOST>\].*"(REGISTER|INVITE|OPTIONS)".*-> 401
.*\[<HOST>\].*"(REGISTER|INVITE|OPTIONS)".*-> 403
.*pike blocked.*\[<HOST>\]
ignoreregex =
# /etc/fail2ban/jail.d/kamailio.conf
[kamailio]
enabled = true
port = 5060,5061
protocol = udp
filter = kamailio
logpath = /var/log/kamailio/kamailio.log
maxretry = 10
findtime = 300
bantime = 3600
action = iptables-allports[name=kamailio, protocol=all]
This bans any IP that triggers 10 auth failures within 5 minutes for 1 hour. Increase bantime to 86400 (24 hours) for persistent attackers; add a [kamailio-repeat] jail with bantime = -1 (permanent) for IPs that return after banning.
Enforcing TLS for SIP Signaling
Plain UDP SIP exposes authentication credentials (MD5 hashed, but crackable offline) and call metadata. Enforce TLS for all external endpoints:
# Asterisk PJSIP transport
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/letsencrypt/live/pbx.example.com/fullchain.pem
priv_key_file=/etc/letsencrypt/live/pbx.example.com/privkey.pem
cipher=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
method=tlsv1_2
[endpoint-tls-template]
type=endpoint
transport=transport-tls
media_encryption=sdes
media_encryption_optimistic=no
Setting media_encryption_optimistic=no forces SRTP — calls fail rather than fall back to cleartext RTP. This is the right default for anything carrying confidential calls.
SRTP for Media
SIP over TLS protects signaling. SRTP protects the media. Enabling both closes the full eavesdropping path:
# Kamailio: enforce SRTP by rejecting offers without crypto
request_route {
if (is_method("INVITE")) {
if (!has_body("application/sdp")) {
sl_send_reply("400", "Bad Request");
exit;
}
# Check for SRTP crypto line in SDP
if (!search_body("a=crypto:")) {
sl_send_reply("488", "Not Acceptable Here");
exit;
}
}
}
Dialplan Fraud Prevention
Toll fraud usually exploits a misconfigured dialplan context. Common mistakes:
Never allow unauthenticated access to outbound routes:
# WRONG — any SIP device that reaches this context can dial out
[default]
exten => _9.,1,Dial(PJSIP/${EXTEN:1}@carrier)
# RIGHT — only authenticated extensions reach from-internal
[from-internal]
exten => _9.,1,GoSub(sub-check-credit,s,1)
same => n,Dial(PJSIP/${EXTEN:1}@carrier)
Restrict international dialing by default:
[from-internal]
; Domestic only by default
exten => _NXXNXXXXXX,1,GoSub(sub-dialout,s,1(${EXTEN}))
; International requires explicit permission via DB lookup
exten => _011.,1,GoSub(sub-check-international-permission,s,1(${CALLERID(num)}))
same => n,GotoIf($["${PERMISSION}" = "yes"]?allowed:denied)
same => n(allowed),GoSub(sub-dialout,s,1(${EXTEN}))
same => n(denied),Playback(ss-noservice)
same => n,Hangup()
Set per-account call limits:
[sub-check-credit]
exten => s,1,Set(ACTIVE_CALLS=${DB(calls/${CALLERID(num)}/active)})
same => n,GotoIf($[${ACTIVE_CALLS} >= 3]?overlimit)
same => n,Return()
same => n(overlimit),Playback(ss-noservice)
same => n,Hangup()
Anomaly Detection: Spend Velocity Alerts
Technical controls stop known attack patterns. Behavioral anomaly detection catches novel attacks. Track per-account spend velocity against your carrier CDR feed:
-- Alert query: accounts exceeding $50 in the last hour
SELECT
account_id,
SUM(duration_seconds * rate_per_second) AS spend_last_hour,
COUNT(*) AS call_count
FROM cdr
WHERE call_start > NOW() - INTERVAL '1 hour'
AND call_type = 'outbound'
GROUP BY account_id
HAVING SUM(duration_seconds * rate_per_second) > 50
ORDER BY spend_last_hour DESC;
Run this query every 5 minutes from a monitoring job. When an account crosses the threshold, suspend outbound calling automatically and page the on-call team. The 5-minute detection window limits maximum fraud exposure to roughly $50 × (response time / 5 minutes).
Security Hardening Checklist
| Control | Priority | Implementation |
|---|---|---|
| Response code normalization | Critical | Kamailio/OpenSIPS routing block |
| Rate limiting (pike / ratelimit) | Critical | Load pike module |
| fail2ban on auth failures | Critical | fail2ban + iptables |
| TLS for SIP signaling | High | PJSIP TLS transport |
| SRTP for media | High | PJSIP + rtpengine SRTP |
| Deny RFC 1918 relay in TURN | High | coturn denied-peer-ip |
| International dialing restrictions | High | Dialplan permission check |
| Per-account call limits | Medium | DB-backed call counter |
| Spend velocity alerting | Medium | CDR monitoring query |
| Homer SIPcapture for forensics | Medium | sipcapture module |
A SIP infrastructure that passes this checklist is not unattackable — determined, well-funded attackers still exist. But it is unprofitable to attack opportunistically, which eliminates 95% of the actual threat volume you'll see in production.
