RTP Traffic to 220.127.116.11
Last updated: Apr 17, 2020
I was reading RIPE Labs’ very interesting post called Pollution in 1/8. The article talks about traffic being sent to the 1/8 address space, which has recently been temporarily allocated. One part of the article caught my eye:
“We found that almost 60% of the UDP packets are sent towards the IP address 18.104.22.168 on port 15206 which makes up the largest amount of packets seen by our RRC. Most of these packets start their data section with 0x80, continue with seemingly random data and are padded to 172 bytes with an (again seemingly random) 2 byte value. Some sources (http://www.proxyblind.org/trojan.shtml) list the port as being used by a trojan called “KiLo”, however information about it seem sparse.”
I think I have an answer to that. Its not a trojan. On the SIP front we’ve been seeing some INVITE scans which start an RTP stream to IP 22.214.171.124 and port 15206. In fact RTP streams start with 0x80. Enough talk, lets take a look at a sample SIP message from these INVITE scans:
INVITE sip:firstname.lastname@example.org SIP/2.0 Via: SIP/2.0/UDP 126.96.36.199:3058;branch=ca4b60ae7ba821fREPLACEDjrgrg;rport From: <sip:email@example.com>;tag=Za4b60aeREPLACED To: <sip:firstname.lastname@example.org> Contact: <sip:email@example.com> Call-ID: firstname.lastname@example.org CSeq: 102 INVITE User-Agent: Asterisk PBX Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces Content-Type: application/sdp Content-Length: 503 v=0 o=sip 2147483647 1 IN IP4 188.8.131.52 s=sip c=IN IP4 184.108.40.206 t=0 0 m=audio 15206 RTP/AVP 10 4 3 0 8 112 5 7 18 111 101 a=rtpmap:10 L16/8000 a=rtpmap:4 G723/8000 a=fmtp:4 annexa=no a=rtpmap:3 GSM/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:112 AAL2-G726-32/8000 a=rtpmap:5 DVI4/8000 a=rtpmap:7 LPC/8000 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:111 G726-32/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=silenceSupp:off - - - - a=ptime:20 a=sendrecv
So what does this mean? According to the article, almost 60% of the traffic being sent to 220.127.116.11 consists of these RTP streams. The majority of the traffic is sent to 18.104.22.168 and is UDP traffic, meaning that the majority of Internet traffic being sent to the 1.1.1/24 is in fact RTP traffic generated by these scans.
The impression that I’m getting is that there’s a lot of such INVITE scanning going on, and a large number of SIP entities on the Internet are responding to these scans by starting an RTP stream.
Sjur posted his analysis of this on his blog too.