67.215.13.194からの不正なSIP着信 つづき
Published: 2009/02/25
「67.215.13.194からの不正なSIP着信」の続きで、今朝9時ごろから広範囲に大量に発生してますね。INVITE Floodです。一時間程度継続しています。
とりあえずパケットを詳細に書くと長くなりますがこんな感じ。
Session Initiation Protocol Request-Line: INVITE sip:9001963112326111#@x.x.x.x;transport=udp SIP/2.0 Method: INVITE [Resent Packet: False] Message Header Via: SIP/2.0/UDP 67.215.13.194:4003;branch=1011011111100010010100000111110067.215.13.194x.x.x.x2120661505;rport Transport: UDP Sent-by Address: 67.215.13.194 Sent-by port: 4003 Branch: 1011011111100010010100000111110067.215.13.194x.x.x.x2120661505 RPort: rport Max-Forwards: 70 From: <sip:1725752941@x.x.x.x>;tag=1126636365-1886873951126636365112663636567.215.13.194 SIP from address: sip:1725752941@x.x.x.x SIP tag: 1126636365-1886873951126636365112663636567.215.13.194 To: <sip:9001963112326111#@x.x.x.x> SIP to address: sip:9001963112326111#@x.x.x.x Call-ID: ae87138710010101101100111100111101011011011111100010010100000111110067.215.13.194x.x.x.x2120661505b112099001963112326111#1126636365-1886873951126636365112663636567.215.13.1941137958878 CSeq: 1 INVITE Sequence Number: 1 Method: INVITE Contact: <sip:b11209@67.215.13.194:4003;transport=udp> Contact Binding: <sip:b11209@67.215.13.194:4003;transport=udp> URI: <sip:b11209@67.215.13.194:4003;transport=udp> SIP contact address: sip:b11209@67.215.13.194:4003 Content-Type: application/sdp Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH User-Agent: eyeBeam release 1003s stamp 31159 Content-Length: 212 Message body Session Description Protocol Session Description Protocol Version (v): 0 Owner/Creator, Session Id (o): - 16264 18299 IN IP4 x.x.x.x Owner Username: - Session ID: 16264 Session Version: 18299 Owner Network Type: IN Owner Address Type: IP4 Owner Address: x.x.x.x Session Name (s): CounterPath eyeBeam 1.5 Connection Information (c): IN IP4 x.x.x.x Connection Network Type: IN Connection Address Type: IP4 Connection Address: x.x.x.x Time Description, active time (t): 0 0 Session Start Time: 0 Session Stop Time: 0 Media Description, name and address (m): audio 30535 RTP/AVP 18 0 8 101 Media Type: audio Media Port: 30535 Media Proto: RTP/AVP Media Format: ITU-T G.729 Media Format: ITU-T G.711 PCMU Media Format: ITU-T G.711 PCMA Media Format: 101 Media Attribute (a): fmtp:18 annexb=no Media Attribute Fieldname: fmtp Media Format: 18 Media format specific parameters: annexb=no Media Attribute (a): rtpmap:101 telephone-event/8000 Media Attribute Fieldname: rtpmap Media Format: 101 MIME Type: telephone-event Media Attribute (a): fmtp:101 0-15 Media Attribute Fieldname: fmtp Media Format: 101 [telephone-event] Media format specific parameters: 0-15 Data (2 bytes)
ここからのSIP通信のUser-Agentはあいかわらずこの二つです。
X-Lite release 1006e stamp 34025 eyeBeam release 1003s stamp 31159
SIPのシーケンスはちゃんとしてますね。
by jyake