sipShield Plug-in

The sipShield SPL Plug-in enables the Oracle Communications Session Border Controller to drop SIP messages containing the identifying characteristics of known malicious tools. Common attack types include information collection, denial-of-service, and toll fraud.

This version of the sipShield SPL Plug-in, 1.9, may be run on an SBC that supports SPL Engine C2.0.1. A list of supported SPL Engines may be found in the SBC Release Notes.

Tools identified include:
  • SIPVicious
  • SIPScan
  • SMap
  • Sipsak
  • Sipcli
  • Sivus
  • Protos
  • Gulp
  • Sipv
  • Sundayddr Worm
  • Spoofed eyeBeam Client
  • VaxIPUserAgent
  • sipArmyKnife
  • Viproy

How It Works

The plug-in scans SIP message fields (User-Agent, From, To, Subject, etc.) for identifying characteristics of known attack tools. Once a SIP message is flagged as a threat, the message is dropped and all processing of the message ceases.

The administrator can also specify a regex to match an expected User-Agent value to aid in identifying potentially fraudulent traffic quickly. This strategy is called “whitelisting”. If the whitelist passes, sipShield will continue processing, looking for other indicators of abuse.

The system creates a log entry for each drop event that includes the source IP address and the flagged portion of the message.

You must still configure proper SBC security settings such as registration policies, ACL, and signaling thresholds for attacks that may randomize their identifying fields.

After uploading your SPL file, add the sipShield plugin to your configuration.
ORACLE(spl-plugins)# name sipShield.1.11.spl

Adding the Plug-in to Your Configuration

The plug-in must be configured in the spl-config configuration element. If multiple plug-ins are configured on the SBC, the plug-ins are executed in the order of configuration.
  1. In Superuser mode, type configure terminal and press <Enter>.
    ACMEPACKET# configure terminal
  2. Type system and press <Enter> to access the system-level configuration elements.
    ACMEPACKET(configure)# system
    ACMEPACKET(system)#
  3. Type spl-config and press <Enter>.
    ACMEPACKET(system)# spl-config
    ACMEPACKET(spl-config)#
  4. To start editing the spl-config, type select and press <Enter>.
    ACMEPACKET(spl-config)# select
  5. Type plugins and press <Enter>. The system prompt changes to let you know that you can begin configuring individual parameters.
    ACMESYSTEM(spl-config)# plugins
    ACMESYSTEM(spl-plugins)#
  6. Type name, a <space>, and the name of the SPL plug-in file.
    ACMESYSTEM(spl-plugins)#name sipShield.1.9.spl
  7. Type done to save your work.
  8. Type exit.
  9. Type done.

Messages Dropped Counter

The sipShield plug-in comes with a counter to track the number of SIP attack messages dropped. The counter is enabled automatically when using the block-attack-tools spl option.

Show Counter

  1. Type spl show sip attacks all and press <Enter> to access the number of attacks detected.

Reset Counter

  1. Type spl reset sip attacks and press <Enter> to reset the sipShield counters.

Configuring the Plug-in Options

The SPL options must be configured on either the sip-interface or the ingress realm-config. There is no global option for this plug-in.

Note:

When the plug-in is enabled on both the sip-interface and realm-config, the sip-interface takes precedence.
  1. In Superuser mode, type configure terminal and press <Enter>.
    ORACLE# configure terminal
  2. Access either the sip-interface or the realm-config object.
    ORACLE(configure)# session-router
    ORACLE(session-router)# sip-interface
    ORACLE(sip-interface)#
    ORACLE(configure)# media-manager
    ORACLE(media-manager)# realm-config
    ORACLE(realm-config)#
  3. Select the sip-interface or realm-config to which you want to apply this feature to.
  4. Enter one of the following options to enable the plug-in:
    • Type spl-options +block-attack-tools and press <Enter>.
      ORACLE(sip-interface)# spl-options +block-attack-tools
    • Type spl-options +whitelist=”regex” and press <Enter>.
      ORACLE(sip-interface)# spl-options +whitelist=”Linphone|Vendorname release 2\.2\.3”

      Note:

      When whitelist is enabled, you do not need to enable block-attack-tools.
  5. Type done to save your work.
  6. Save and activate your changes.