How to stop a SIP attack with a wordsmith gotcha

Over the last six months, I’ve noticed almost 6,000 Session Initiation Protocol (SIP) attacks coming from Online SAS (AS12876) network. These attacks were typically seen coming in on the default SIP port which is UDP port 5060.

online.net

While the attacks poured in, I was frequently using the Abuse Report Form for Online SAS, which was very easy to use. After confirming my abuse requests, I would wait to receive a follow up from Online SAS or their customer directly.  Typically within 24 – 48 hours I’d receive a response and confirm the attacks have stopped. However in one case the attacks didn’t stop and continued for twelve straight days.

On August 7, I reported IP address 163.172.216.251 and received the following update from Online SAS on August 9:

Dear Sir or Madam,

Your abuse number 183740 is now closed.

Here is a comment left by our customer:
—————————————————————-

sent the complaint to this client for checking about this issue and resolving

—————————————————————-

This was not resolved, so I sent another follow up to take corrective action. On August 10, the following message was received:

Dear Sir or Madam,

Your abuse number 183966 is now closed.

Here is a comment left by our customer:
—————————————————————-

sent the complaint to this client for checking about this issue and resolving

—————————————————————-

Yet again the attacks did not cease, so I sent another abuse request on August 14. The next day I received the following:

Dear Sir or Madam,

Your abuse number 184423 is now closed.

Here is a comment left by our customer:
—————————————————————-

sent the complaint to this client for checking about this issue and resolving

—————————————————————-

Sadly the attacks persisted with fervent vigor, so I decided a new approach was needed. On August 19, I sent in a new abuse request for 163.172.216.251 stating, “If you are a cybercriminal, please respond ‘sent the complaint to this client for checking about this issue and resolving’ to this message”

The very same day, I received the following update:

Dear Sir or Madam,

Your abuse number 184747 is now closed.

Here is a comment left by our customer:
—————————————————————-

service is suspended for set on rescue mode

—————————————————————-

After this I confirmed no further SIP attacks from 163.172.216.25 were seen!

Leave a Reply