SIP Tarpit Session

TRAPPED

session time: 4:37

Attacker IP	`185.220.101.47`
ASN	AS204428 — known Tor exit
User-Agent	`SIPVicious/0.3.4`
Target DID	`+1-720-555-0193`
Duration	4:37 and counting
Status	TRAPPED

1,847

attempts logged

23.4s

avg delay injected

credential pairs harvested

ASNs pushed to blocklist

// session timeline — click any event to view raw payload

+0.000s

attacker REGISTER inbound

Initial registration attempt. Tool begins credential stuffing against extension 1000.

view payload

To: sip:+17205550193@whoscalling.io From: sip:admin@185.220.101.47 User-Agent: SIPVicious/0.3.4 Authorization: Digest username="admin"

+0.011s

engine Fingerprint matched internal

SIPVicious enumeration pattern confirmed. No STIR/SHAKEN identity header. ASN is a known Tor exit node. Routing to slow lane.

view payload

JA3: a0e9f5d64349fb13191bc781f81f42e1 STIR/SHAKEN: none — no Identity header ASN: AS204428 — known Tor exit node Decision: route to slow lane

+0.014s

tarpit 100 Trying outbound

Fake progress response issued. Attacker's tool is now waiting for a 401. Session clock started.

⏱ hold injected: 18 seconds

+18.02s

tarpit 401 Unauthorized outbound

Valid-looking Digest challenge issued. Nonce will authenticate — attacker's tool will respond automatically with credentials.

view payload

WWW-Authenticate: Digest realm="whoscalling.io" nonce="d8e2f91a..." algorithm=MD5

+18.09s

attacker REGISTER (re-auth) inbound

Credential pair logged to harvest store. 3rd unique credential set this session.

view payload

Authorization: Digest username="1000" response="c6f4a92b..."

⏱ hold injected: 31 seconds

+49.3s

tarpit 200 OK outbound

Registration accepted with fake 1-hour expiry. Attacker believes they are registered. No actual routing established.

view payload

Expires: 3600

+49.4s

engine Pivot detected — toll fraud internal

Attacker pivots to INVITE. Targeting UK premium number — toll fraud enumeration pattern.

view payload

To: sip:+442071234567@whoscalling.io (UK premium number) Contact: sip:1000@185.220.101.47:5060

⏱ hold injected: 47 seconds

+1:36.7s

tarpit 183 Session Progress outbound

Fake ringback SDP issued. No media path opened. Attacker hears synthetic ring tone. Billing never starts. Loop repeats.

+4:37.1s

engine Session status — still trapped internal

Attacker has not disconnected. Threat intel record written. All 7 observed ASNs pushed to blocklist. Feed export queued.

view payload

Attacker runtime: 4 min 37 sec (active) UDP sends: 1,847 Calls placed: 0 Creds harvested: 3 ASNs blocklisted: 7

// active threat summary

SIPVicious REGISTER flood — credential harvest via fake 401 challenge

Source 185.220.101.47 (AS204428, known Tor exit) is running SIPVicious/0.3.4 in REGISTER flood mode, attempting credential stuffing against extension 1000. The tarpit responded with a valid-looking 401 Digest challenge, harvested three credential pairs across the session, and is currently holding the attacker in a fake INVITE ringback loop — consuming their tooling runtime while all call routing remains firewalled. STIR/SHAKEN attestation absent; no Identity header present. All 7 ASNs observed across this campaign have been pushed to the blocklist.