====Defending SIP====
http://serverfault.com/questions/549134/how-can-i-stop-sipvicious-friendly-scanner-from-flooding-my-sip-server
The publicly available SipVicious script that many of these attackers use stops the attack instantly if it receives an invalid SIP response with no From: line. You can identify SipVicious because it sets its User-Agent in the SIP requests to friendly-scanner.
Using this technique against a real-world attacker, I have been able to immediately stop the flood of packets. You can send such a packet with a simple script. For example:
<code>
cat >UnfriendlyScannerStopper.scala <<END
import java.net._
object UnfriendlyScannerStopper {
def main(args : Array[String]) : Unit = {
if (args.length < 2) {
System.out.println("Usage: FriendlyScannerStopper ipAddr port")
return
}
val udpSocket : DatagramSocket = new DatagramSocket();
val packetContents : String = "SIP/2.0 400 Go Away!!!\r\n\r\n"
udpSocket.send(new DatagramPacket(packetContents.getBytes("utf-8"), packetContents.size,
InetAddress.getByName(args(0)), Integer.parseInt(args(1))))
}
}
END
scala UnfriendlyScannerStopper.scala 192.168.107.179 5102
</code>
You will need to substitute 192.168.107.179 and 5102 for the address and port in the Via header of the SIP packets you are being sent in the attack.