Skip to content

Control Hub Investigation

SBC/CUBE PSTN GATEWAY ATTACK

Investigation Summary

Incident: Distributed SIP INVITE flood attack targeted London CUBE gateway, causing service degradation and failed call attempts for 45 minutes.

Detection: ThousandEyes alerted on Webex Calling quality degradation; CUBE CPU spiked to 98% processing malicious SIP packets.

Impact: 234 failed inbound calls, degraded service for London office users, CUBE resources exhausted.

Outcome: DDoS attack from botnet; implemented SIP rate limiting and carrier-level filtering.


Step 1: Detection and Service Impact

Detection Timestamp: 2026-01-26 14:32:18 UTC

Alert Source: ThousandEyes Webex Calling Test

ThousandEyes Alert: Webex Call Quality Degradation
Test: London-Office-Webex-Calling
Metric: Call Setup Time
Baseline: 1.2 seconds
Current: 18.7 seconds (15.6x increase)
MOS Score: Dropped from 4.3 to 1.8 (Poor)
Packet Loss: 23% (baseline: 0.2%)
Location: London Office

Immediate Impact Check:

CASE_ID="CASE-2026-008-SIP-DDOS"

curl -X POST https://abhavtech.service-now.com/api/now/table/incident \
  -H 'Content-Type: application/json' \
  -d '{
    "short_description": "Webex Calling Service Degradation - London",
    "description": "ThousandEyes detected call quality issues, high latency",
    "urgency": "1",
    "impact": "2",
    "category": "Performance"
  }'

## INC0012351

Step 2: CUBE Health Analysis

2.1 Check CUBE CPU and Memory:

## SSH to London CUBE
ssh admin@london-cube-01.abhavtech.com

## Check CPU utilization
London-CUBE-01# show processes cpu sorted

CPU utilization for five seconds: 98%/12%; one minute: 95%; five minutes: 87%

PID   Runtime(ms)   Invoked    uSecs    5Sec   1Min   5Min   TTY Process
142   82471947      94827393   869      87.2%  85.1%  78.3%  0   SIP Process
89    12847293      38472938   333      8.9%   7.2%   6.1%   0   IP Input
...

## SIP Process consuming 87% CPU (abnormal - baseline: 15%)

## Check memory
London-CUBE-01# show memory statistics

        Head    Total(b)    Used(b)    Free(b)   Lowest(b)  Largest(b)
Processor  8A2C4D60  2147483648  1947283648  200199000  198374920  187294872

## Memory at 90% utilization (abnormal - baseline: 45%)

2.2 Check Active Call Statistics:

## Query active calls
London-CUBE-01# show call active voice brief | include ACTIVE

Total active calls: 482

## Normal capacity: 50 channels
## Current: 482 calls (9.6x overcapacity!)

## Most calls are in "ALERTING" state (ringing but not answered)
London-CUBE-01# show call active voice brief | include ALERTING | count

Count: 467 calls in ALERTING state

## 467 calls stuck in alerting = SIP attack signature

2.3 Analyze SIP Message Rate:

## Check SIP statistics
London-CUBE-01# show sip-ua statistics

Total SIP messages received: 84729384
Total SIP messages sent: 28374928

SIP messages received (last 60 seconds):
  INVITE:     8472  # ← ABNORMAL: Should be ~10/min, seeing 8472/min
  ACK:        23
  BYE:        45
  CANCEL:     12
  REGISTER:   0
  OPTIONS:    234

## INVITE flood: 8,472 INVITEs per minute (847x normal rate)

Step 3: Capture Malicious SIP Traffic

3.1 Enable SIP Debugging:

## Enable SIP message debugging (WARNING: High CPU impact)
London-CUBE-01# debug voip ccapi inout
London-CUBE-01# debug ccsip messages

## Sample output (first 10 messages):
*Jan 26 14:33:02.123: SIP/2.0 INVITE sip:+442012345678@london-cube-01.abhavtech.com
*Jan 26 14:33:02.234: Via: SIP/2.0/UDP 114.91.XX.XXX:5060
*Jan 26 14:33:02.345: From: "Attacker" <sip:000000000@114.91.XX.XXX>
*Jan 26 14:33:02.456: To: <sip:+442012345678@london-cube-01.abhavtech.com>
*Jan 26 14:33:02.567: Call-ID: malicious-123456@114.91.XX.XXX
*Jan 26 14:33:02.678: CSeq: 1 INVITE
*Jan 26 14:33:02.789: Max-Forwards: 70
*Jan 26 14:33:02.890: User-Agent: friendly-scanner
*Jan 26 14:33:02.901: Contact: <sip:000000000@114.91.XX.XXX:5060>
*Jan 26 14:33:02.912: Content-Length: 0

## Disable debugging (too much output)
London-CUBE-01# no debug all

3.2 Capture SIP Packets via SPAN:

## Configure SPAN on switch connected to CUBE WAN interface
ssh admin@london-wan-sw01.abhavtech.com

London-WAN-SW01# config t
London-WAN-SW01(config)# monitor session 1 source interface Gi1/0/1
London-WAN-SW01(config)# monitor session 1 destination interface Gi1/0/48
London-WAN-SW01(config)# monitor session 1 filter ip
London-WAN-SW01(config)# end

## On forensics workstation, capture SIP traffic
sudo tcpdump -i eth0 -w /tmp/sip-attack.pcap \
  'port 5060 or port 5061' \
  -G 300 -W 1

## After 5 minutes...
sudo mv /tmp/sip-attack.pcap \
  /mnt/evidence_vault/EVD-20260126-001-sip-attack.pcap

## File size: 4.2 GB (massive INVITE flood)

## Register on blockchain
sha256sum /mnt/evidence_vault/EVD-20260126-001-sip-attack.pcap
## b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4

peer chaincode invoke -n evidence-contract -C evidence-channel \
  -c '{"Args":["CollectEvidence","EVD-20260126-001","CASE-2026-008-SIP-DDOS",...]}'

3.3 Analyze Attack Pattern with Wireshark:

## Open in Wireshark
wireshark /mnt/evidence_vault/EVD-20260126-001-sip-attack.pcap &

## Apply SIP filter
## sip.Method == "INVITE"

## Statistics → Conversations → IPv4
## Top 10 source IPs:

IP Address       Packets    Bytes        Comment
114.91.XX.XXX     487293     2847382947   Bot #1
121.58.XX.XXX    398472     1847293847   Bot #2
122.67.XX.XXX     287493     1283749283   Bot #3
116.73.XX.XXX     234729     982374928    Bot #4
...

## 234 unique source IPs (botnet)
## All sending INVITE floods to same destination: +442012345678

## Extract unique source IPs
tshark -r /mnt/evidence_vault/EVD-20260126-001-sip-attack.pcap \
  -Y "sip.Method == INVITE" \
  -T fields -e ip.src \
  | sort | uniq > /mnt/evidence_vault/EVD-20260126-002-attacker-ips.txt

wc -l /mnt/evidence_vault/EVD-20260126-002-attacker-ips.txt
## 234 unique attacker IPs

Step 4: Identify Attack Characteristics

4.1 Analyze INVITE Messages:

## Extract INVITE details with tshark
tshark -r /mnt/evidence_vault/EVD-20260126-001-sip-attack.pcap \
  -Y "sip.Method == INVITE" \
  -T fields \
  -e frame.time \
  -e ip.src \
  -e sip.from.user \
  -e sip.to.user \
  -e sip.User-Agent \
  -E header=y \
  > /mnt/evidence_vault/EVD-20260126-003-invite-analysis.csv

## Sample output:
frame.time,ip.src,sip.from.user,sip.to.user,sip.User-Agent
2026-01-26 14:32:18,114.91.XX.XXX,000000000,+442012345678,friendly-scanner
2026-01-26 14:32:18,121.58.XX.XXX,000000000,+442012345678,friendly-scanner
2026-01-26 14:32:18,122.67.XX.XXX,111111111,+442012345678,friendly-scanner
2026-01-26 14:32:18,116.73.XX.XXX,222222222,+442012345678,sipvicious

## Characteristics:
## - User-Agent: "friendly-scanner" or "sipvicious" (attack tools)
## - From: Sequential numbers (000000000, 111111111, 222222222)
## - To: All targeting same number (+442012345678)
## - Call-ID: Random/malicious patterns
## - No SDP (Session Description Protocol) body - incomplete INVITEs

4.2 Calculate Attack Rate:

## Calculate INVITEs per second
import pandas as pd
from datetime import datetime

## Load CSV
df = pd.read_csv('/mnt/evidence_vault/EVD-20260126-003-invite-analysis.csv')
df['timestamp'] = pd.to_datetime(df['frame.time'])

## Group by second
invites_per_second = df.groupby(df['timestamp'].dt.floor('S')).size()

print(f"Average INVITEs/second: {invites_per_second.mean():.1f}")
print(f"Peak INVITEs/second: {invites_per_second.max()}")
print(f"Attack duration: {(df['timestamp'].max() - df['timestamp'].min()).seconds / 60:.1f} minutes")

## Output:
## Average INVITEs/second: 141.2
## Peak INVITEs/second: 287
## Attack duration: 45.3 minutes

Step 5: Identify Target and Motivation

5.1 Check Targeted Number:

## All attacks target: +442012345678
## Lookup in Webex Control Hub

curl -X GET "https://webexapis.com/v1/people?callingData=true&displayName=+442012345678" \
  -H "Authorization: Bearer $WEBEX_TOKEN"

## Output:
{
  "items": [
    {
      "id": "Y2lzY29zcGFyazovL3VzL1BFT1BMRS8xMjM0NQ",
      "displayName": "CEO Office - Reception",
      "phoneNumbers": [
        {
          "type": "work",
          "value": "+442012345678"
        }
      ],
      "locationId": "london-office-id"
    }
  ]
}

## Target: CEO office reception line

5.2 Determine Attack Goal:

  • Disruption: Prevent legitimate calls from reaching CEO office
  • Reconnaissance: Test CUBE capacity and security controls
  • Ransom: Precursor to extortion demand (call off attack for payment)

No ransom demand received, likely just disruption/testing


Step 6: Check Carrier Filtering

6.1 Query Carrier (Verizon) for Filtering:

## Contact Verizon SOC
## Phone call to carrier NOC: 2026-01-26 14:50:00

## Verizon Response:
## - Detected abnormal SIP traffic to customer trunk
## - No filtering applied (customer responsible for DDoS mitigation)
## - Offered to enable carrier-level SIP firewall ($500/month)

## Carrier did NOT filter attack traffic

Step 7: Immediate Mitigation

7.1 Implement CUBE Rate Limiting:

## SSH to London CUBE
ssh admin@london-cube-01.abhavtech.com

## Configure SIP rate limiting
London-CUBE-01# config t
London-CUBE-01(config)# voice service voip
London-CUBE-01(config-voi-serv)# ip address trusted list
London-CUBE-01(config-voi-serv-trunk)# ipv4 198.51.100.0 255.255.255.0  # Verizon SIP proxy range
London-CUBE-01(config-voi-serv-trunk)# exit

## Reject SIP from untrusted sources
London-CUBE-01(config-voi-serv)# sip
London-CUBE-01(config-voi-sip)# midcall-signaling passthru
London-CUBE-01(config-voi-sip)# early-offer forced
London-CUBE-01(config-voi-sip)# g729 annexb-all
London-CUBE-01(config-voi-sip)# options-keepalive
London-CUBE-01(config-voi-sip)# asymmetric payload full

## Rate limit per source IP
London-CUBE-01(config-voi-sip)# call threshold interface 1000  # Max 1000 concurrent per interface
London-CUBE-01(config-voi-sip)# max-forwards 10

## Block known attack User-Agents
London-CUBE-01(config-voi-sip)# early-offer forced
London-CUBE-01(config-voi-sip)# midcall-signaling passthru

## Exit and save
London-CUBE-01(config-voi-sip)# end
London-CUBE-01# write mem

## Rate limiting configured

7.2 Deploy Firewall Rules:

## Add FTD firewall rules to block attacker IPs
for IP in $(cat /mnt/evidence_vault/EVD-20260126-002-attacker-ips.txt | head -50); do
  echo "Blocking IP: $IP"

  curl -k -X POST \
    "https://fmc.abhavtech.com/api/fmc_platform/v1/domain/default/policy/accesspolicies/<policy-id>/accessrules" \
    -H "X-auth-access-token: $FMC_TOKEN" \
    -d "{
      \"action\": \"BLOCK\",
      \"enabled\": true,
      \"name\": \"Block-SIP-Attack-$IP\",
      \"sourceNetworks\": {\"objects\": [{\"type\": \"Host\", \"value\": \"$IP\"}]},
      \"destinationPorts\": {\"objects\": [{\"type\": \"ProtocolPortObject\", \"protocol\": \"UDP\", \"port\": \"5060\"}]}
    }"
done

## Deploy policy
curl -k -X POST \
  "https://fmc.abhavtech.com/api/fmc_platform/v1/domain/default/deployment/deployabledevices" \
  -H "X-auth-access-token: $FMC_TOKEN"

## Top 50 attacker IPs blocked on firewall

7.3 Monitor Mitigation Effectiveness:

## Wait 5 minutes, check CUBE CPU
ssh admin@london-cube-01.abhavtech.com "show processes cpu sorted | include SIP"

## Output:
PID   5Sec   1Min   5Min   Process
142   12.3%  15.2%  24.1%  SIP Process

## CPU normalized (87% → 12%)

## Check active calls
ssh admin@london-cube-01.abhavtech.com "show call active voice brief | count"

## Output: 47 calls (normal)

## Attack mitigated successfully

Step 8: Long-Term Hardening

8.1 Deploy SIP Application Firewall:

## Configure CUBE with SIP inspection
London-CUBE-01# config t
London-CUBE-01(config)# class-map type inspect sip match-all SIP-INSPECTION
London-CUBE-01(config-cmap)# match protocol sip

London-CUBE-01(config)# policy-map type inspect sip SIP-POLICY
London-CUBE-01(config-pmap)# class SIP-INSPECTION
London-CUBE-01(config-pmap-c)# inspect
London-CUBE-01(config-pmap-c)# drop log  # Drop and log violations

## Apply to interface
London-CUBE-01(config)# interface GigabitEthernet0/0/0  # WAN interface
London-CUBE-01(config-if)# service-policy type inspect input SIP-POLICY
London-CUBE-01(config-if)# end
London-CUBE-01# write mem

8.2 Enable Carrier-Level DDoS Protection:

## Contact Verizon to enable SIP firewall service
## Cost: $500/month
## Features:
## - Rate limiting (configurable thresholds)
## - Geoblocking (block traffic from specific countries)
## - User-Agent filtering
## - SIP message validation
## - Real-time attack mitigation

## Enabled for London and all other PSTN gateways

Step 9: Forensics Report

report = {
    "case_id": "CASE-2026-008-SIP-DDOS",
    "incident_type": "SIP INVITE Flood - CUBE DDoS Attack",
    "incident_date": "2026-01-26",

    "executive_summary": """
    Distributed SIP INVITE flood attack targeted London CUBE gateway on
    2026-01-26 from 14:32 to 15:17 UTC (45 minutes). Botnet of 234 unique
    IP addresses sent 42,360 malicious SIP INVITE messages (average 141/sec,
    peak 287/sec), exhausting CUBE resources and causing service degradation.

    Impact: 234 failed inbound calls, CUBE CPU at 98%, degraded call quality
    for all London users (MOS score dropped from 4.3 to 1.8).

    Mitigation: Deployed CUBE rate limiting, blocked top attacker IPs on
    firewall, enabled carrier SIP filtering. Attack stopped within 15 minutes
    of mitigation deployment.

    Root Cause: No SIP rate limiting configured on CUBE, no carrier-level
    DDoS protection active.

    Long-term: Enabled carrier SIP firewall ($500/mo), deployed SIP application
    inspection, implemented real-time monitoring.
    """,

    "recommendations": [
        "Enable carrier DDoS protection on all PSTN gateways",
        "Deploy SIP application-level firewalling",
        "Implement geo-blocking for high-risk countries",
        "Create ThousandEyes alerts for call quality degradation",
        "Configure automatic CUBE rate limiting",
        "Establish SIP baseline monitoring in Splunk"
    ]
}