TL;DR HoneySIP is a SIP Honeypot Blacklist for use in Firewalls to Block SIP Crawlers and Bruteforcer. All IPs coming from own SIP Validating Honeypots at several servers.

INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP 185.53.XXX.XXX:51645;branch=z9hG4bK897834916 Max-Forwards: 70 From: ;tag=802408136 To: Call-ID: 1008218195-729624094-143XXXXXX CSeq: 1 INVITE Contact: Content-Type: application/sdp Content-Length: 211 Allow: ACK, BYE, INFO, INVITE, MESSAGE, OPTIONS, REFER, REGISTER, SUBSCRIBE, PUBLISH v=0 o=5587292 16264 18299 IN IP4 192.168.1.8 s=call c=IN IP4 192.168.1.8 t=0 0 m=audio 25282 RTP/AVP 0 101 a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-11

The SIP Honeypot Project

I decided to put together a little Honeypot script on some of my Webservers across Europe. They do not use SIP or 5060/udp at all, so it does not hurt. With use of some Python Libs this Honeypot was adjusted and built quickly. What it does is listening to requests on 5060 udp and waiting for Valid SIP Packages. Like INVITE, REGISTER, OPTIONS, ACK. If a SIP Package is received it send a valid SIP Response with Access denied and log the incoming package and IP Address. All in all, I have currently 4 Systems in 3 EU countries running this little honeypot. It is not listed somewhere so actually nobody should try speaking SIP to him. All those requests are logged to a central Database, if one “attacker” IP tried to INVITE more than three times it will be blacklisted for 30 Days.



This Blacklist I implemented in our Firewall, using pfSense and pfBlockerNG as a custom Blocklist, in addition to the honeypots I also include the ban Reports from our local real PBX System. Since I setup this system the false requests to our PBX went down to about a dozen a day.

In the first two Weeks logging the Attackers the List already grown to about 250 Entries. All those Entries will be automatically removed after 30d.

List Usage

Feel free to use those Lists, but as Always on those things – without any Warranty given. All the IPs listed on it are only coming from my honeypot instances, there are no external sources or combined Alien source lists. If you like to use the list in any commercial Environment please check the Contributing part below, would be awesome if I can get some honeypot sources around the globe. Currently my Honeypots are central EU based at different Hosters.



The List is available as GZ File or plain TXT and can be used in any blocklist compatible Firewall.

https://tcpip.wtf/download-honeysip30d.gz https://tcpip.wtf/download-honeysip30d.txt

If your Firewall / Blocktool support GZ compressed input please prefer this one.



Statistics

Development of the List in the past 30 days, as mentioned – hosts are listed at the timestamp when they hit >3 attacks the honeypot does not accept connections from already blocked hosts. After 30d they automatically get removed from the List until they hit again.





Chart updated every 8h



Contribution

I just would like to ask if it is possible to donate a small linux shell / VPS whatever, in your state so I can roll out more passive honeypots. Tech. requirement to those VPS is very minimum, just any recent Debian with 1 core and 128mb RAM is enough. If interested please email me. (see Imprint) Or contact me on any of the platforms linked in the footer.



