SIP - perhaps botnet? anyone else seeing this?

["Leland E. Vandervort" <leland () taranta discpro org>]

Hi All,

Over the past couple of days we have been seeing an exponential increase
(about 200-fold)
in the amount of UDP SIP Control traffic in our netflow data.  The past 24
hours, for example, has shown a total of nearly 300 GB of this traffic
incoming and over 400 GB outgoing -- this despite the fact that we do not
host any SIP services ourselves, and currently to my knowledge, we have no
hosting customers running any kind of SIP services.  (Total RTP traffic
for 24 hours is only in the region of 150 Kb -- so a vast inbalance
between control and RTP)

The local sources/destinations of the traffic are within our hosting
space, but are spread across a wide range of hosts (i.e. nothing really
related to a single or handful of hosts).

Additionally over the past couple of days we have seen an increase of
mails to our abuse desk for "brute force" attempts against a number of SIP
services... possibly directly related to this traffic.

Is anyone aware of a new variant or modus-operandi of botnets in
circulation in the past couple of days which attempt to exploit SIP
services?  Has anyone else notice a significant increase in this kind of
traffic?

Thanks

Leland