THE 5060 SIEGE - Industrialized Attacks Against the SIP Telephony Ecosystem

Executive Summary

Over an 18-day window, a single Internet-facing SIP service recorded 15,183,358 telemetry events — roughly 3,787,791 distinct SIP requests — from 323 unique source addresses. The traffic was not random noise. It was a sustained, automated assault on the telephony layer, dominated by industrial-scale credential theft and a parallel stream of international toll-fraud call attempts.

Two activities account for almost all of the intent-bearing traffic. The first is SIP registration brute force at industrial scale: 1,869,521 authentication attempts carrying full Digest credentials, spread across 29,433 distinct extension identities. The second is toll fraud: 89,465 call-setup (INVITE) attempts, overwhelmingly aimed at United Kingdom revenue-share number ranges and executed through mechanical dial-plan probing. A smaller but strategically important slice of traffic replays authentication challenges harvested from other, real PBX systems — evidence that this sensor sits inside a much larger credential-harvesting economy.

Because the captured authentication material is complete, the actual plaintext password behind 96.09% of all 1,869,521 credential attempts could be determined. The result is a recovered dictionary of 277,632 unique passwords and 1,499,846 unique extension/password pairs — a direct, unobstructed view into the wordlist an active VoIP-fraud operation is spraying across the Internet today.

Key Judgments

• The dominant threat is credential harvesting, not opportunistic guessing. A handful of hosts sprayed a curated dictionary of 277,632 passwords — weighted toward medium- and high-complexity strings, not just 1234 — against every common PBX extension number.
• Toll fraud is targeted and revenue-driven. 47,273 of 89,465 call attempts targeted UK numbers, concentrated on a small set of rural and Northern Ireland ranges consistent with International Revenue Share Fraud (IRSF).
• The attack infrastructure is cheap, European, and highly concentrated. A single hosting network (OVH, AS16276) originated 6,559,589 events; one /24 (15.204.157.0/24) produced 5,178,084 on its own.
• The sources are known-bad and server-hosted, not victims' home connections. Cross-referenced against third-party IP intelligence, 93.5% of attacker addresses already appear on a known-abuser list and 99.8% of source-attributed traffic originated from datacenter/hosting ranges.
• Operations run around the clock and rotate identity, not behavior. Tooling impersonates FreePBX, Cisco, Polycom and Avaya user agents, yet leaves stable signatures — most notably a hardcoded registration Contact of sip:[email protected] present in 3,396,685 registration requests.
• The honeypot never granted access. Every authentication was rejected; the value here is intelligence — adversary wordlists, target numbers, tooling, and infrastructure — not breach impact.

Click Here To Download The Full Report