Exploiting SIP for botnet communication

Andreas Berger, Mohamed Hefeeda

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Citations (Scopus)


The Session Initiation Protocol (SIP) implements methods for generic service discovery and versatile messaging. It is, therefore, expected to be a key component in many telecommunication and Internet services. For example, the 3GPP IP Multimedia Subsystem relies heavily on SIP. Given its critical role, ensuring the security of SIP is clearly a crucial task. In this paper, we analyze the SIP protocol and show that it can easily be exploited to mount effective and large-scale botnets. We do this by scrutinizing the details of the SIP protocol and show how it offers a variety of ways to conceal botnet traffic within legitimate-looking SIP traffic. Using our analysis, we implement a SIP bot and present experimental results from a real testbed network. In addition, we employ traffic statistics collected from a large telecommunication provider and discuss the implications for both botnet design and detection. Finally, we present a software tool (called autosip) to generate synthetic traffic that resembles actual SIP traffic with different controllable characteristics. The proposed tool is quite useful for researchers working in the area who may not have access to traffic dumps from actual telecommunication providers.

Original languageEnglish
Title of host publication5th IEEE Workshop on Secure Network Protocols, NPSEC'09
Number of pages6
Publication statusPublished - 1 Dec 2009
Externally publishedYes
Event5th IEEE Workshop on Secure Network Protocols, NPSEC'09 - Princeton, NJ, United States
Duration: 13 Oct 200913 Oct 2009


Other5th IEEE Workshop on Secure Network Protocols, NPSEC'09
CountryUnited States
CityPrinceton, NJ


ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software
  • Electrical and Electronic Engineering

Cite this

Berger, A., & Hefeeda, M. (2009). Exploiting SIP for botnet communication. In 5th IEEE Workshop on Secure Network Protocols, NPSEC'09 (pp. 31-36). [5342244] https://doi.org/10.1109/NPSEC.2009.5342244