sipShield Plug-in
The sipShield SPL Plug-in enables the Oracle Communications Session Border Controller to drop SIP messages containing the identifying characteristics of known malicious tools. Common attack types include information collection, denial-of-service, and toll fraud.
This version of the sipShield SPL Plug-in, 1.9, may be run on an SBC that supports SPL Engine C2.0.1. A list of supported SPL Engines may be found in the SBC Release Notes.
- SIPVicious
- SIPScan
- SMap
- Sipsak
- Sipcli
- Sivus
- Protos
- Gulp
- Sipv
- Sundayddr Worm
- Spoofed eyeBeam Client
- VaxIPUserAgent
- sipArmyKnife
- Viproy
How It Works
The plug-in scans SIP message fields (User-Agent, From, To, Subject, etc.) for identifying characteristics of known attack tools. Once a SIP message is flagged as a threat, the message is dropped and all processing of the message ceases.
The administrator can also specify a regex to match an expected User-Agent value to aid in identifying potentially fraudulent traffic quickly. This strategy is called “whitelisting”. If the whitelist passes, sipShield will continue processing, looking for other indicators of abuse.
The system creates a log entry for each drop event that includes the source IP address and the flagged portion of the message.
You must still configure proper SBC security settings such as registration policies, ACL, and signaling thresholds for attacks that may randomize their identifying fields.
ORACLE(spl-plugins)# name sipShield.1.11.splAdding the Plug-in to Your Configuration
Messages Dropped Counter
The sipShield plug-in comes with a counter to track the number of SIP attack messages dropped. The counter is enabled automatically when using the block-attack-tools spl option.