Registration Removal
Registration removal attack is a signal manipulation attack. This attack will deregister a user on the network and will have as an effect that the user will no longer recieve messages from the SIP proxy.
Low level
By sending a custom made REGISTER request with the fields Contact and Expires The contact header is the actual adress taht the registrant is listening on for incomming calls. Expiration indicates how long it takes to expire.
To remove a registration the attacker sends a modified header with the contact set to * and the expiration set to 0. This will unregister the user that requested the message. Ofcourse its possible to spoof messages.
Perform
Send a crafted SIP packet with the following headers
Contact: *
Expire: 0
Mitigation
It is possible to mitigate the attack by monitoring for the headers in the request.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.