67.215.13.194からの不正なSIP着信 つづき

「67.215.13.194からの不正なSIP着信」の続きで、今朝9時ごろから広範囲に大量に発生してますね。INVITE Floodです。一時間程度継続しています。

とりあえずパケットを詳細に書くと長くなりますがこんな感じ。

 Session Initiation Protocol
    Request-Line: INVITE sip:9001963112326111#@x.x.x.x;transport=udp SIP/2.0
        Method: INVITE
        [Resent Packet: False]
    Message Header
        Via: SIP/2.0/UDP 67.215.13.194:4003;branch=1011011111100010010100000111110067.215.13.194x.x.x.x2120661505;rport
            Transport: UDP
            Sent-by Address: 67.215.13.194
            Sent-by port: 4003
            Branch: 1011011111100010010100000111110067.215.13.194x.x.x.x2120661505
            RPort: rport
        Max-Forwards: 70
        From: <sip:1725752941@x.x.x.x>;tag=1126636365-1886873951126636365112663636567.215.13.194
            SIP from address: sip:1725752941@x.x.x.x
            SIP tag: 1126636365-1886873951126636365112663636567.215.13.194
        To: <sip:9001963112326111#@x.x.x.x>
            SIP to address: sip:9001963112326111#@x.x.x.x
        Call-ID: ae87138710010101101100111100111101011011011111100010010100000111110067.215.13.194x.x.x.x2120661505b112099001963112326111#1126636365-1886873951126636365112663636567.215.13.1941137958878
        CSeq: 1 INVITE
            Sequence Number: 1
            Method: INVITE
        Contact: <sip:b11209@67.215.13.194:4003;transport=udp>
            Contact Binding: <sip:b11209@67.215.13.194:4003;transport=udp>
                URI: <sip:b11209@67.215.13.194:4003;transport=udp>
                    SIP contact address: sip:b11209@67.215.13.194:4003
        Content-Type: application/sdp
        Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
        User-Agent: eyeBeam release 1003s stamp 31159
        Content-Length: 212
    Message body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): - 16264 18299 IN IP4 x.x.x.x
                Owner Username: -
                Session ID: 16264
                Session Version: 18299
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: x.x.x.x
            Session Name (s): CounterPath eyeBeam 1.5
            Connection Information (c): IN IP4 x.x.x.x
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: x.x.x.x
            Time Description, active time (t): 0 0
                Session Start Time: 0
                Session Stop Time: 0
            Media Description, name and address (m): audio 30535 RTP/AVP 18 0 8 101
                Media Type: audio
                Media Port: 30535
                Media Proto: RTP/AVP
                Media Format: ITU-T G.729
                Media Format: ITU-T G.711 PCMU
                Media Format: ITU-T G.711 PCMA
                Media Format: 101
            Media Attribute (a): fmtp:18 annexb=no
                Media Attribute Fieldname: fmtp
                Media Format: 18
                Media format specific parameters: annexb=no
            Media Attribute (a): rtpmap:101 telephone-event/8000
                Media Attribute Fieldname: rtpmap
                Media Format: 101
                MIME Type: telephone-event
            Media Attribute (a): fmtp:101 0-15
                Media Attribute Fieldname: fmtp
                Media Format: 101 [telephone-event]
                Media format specific parameters: 0-15
            Data (2 bytes)

ここからのSIP通信のUser-Agentはあいかわらずこの二つです。

 X-Lite release 1006e stamp 34025
 eyeBeam release 1003s stamp 31159

SIPのシーケンスはちゃんとしてますね。

[カテゴリ:IP電話観察日記]

by jyake