LAST UPDATED: 2023-03-28
This report identifies accessible SIP services on port 5060/udp. As described on Wikipedia, the Session Initiation Protocol) is a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. SIP is used in Internet telephony, in private IP telephone systems, as well as mobile phone calling over LTE (VoLTE).
SIP is known to be a potential UDP message amplifier that has been abused for reflected DDoS attacks.
As of 2023-03-26 we find 9087 servers on IPv4, with an average amplification factor of 28.4 and median amplification factor of 12.1.
How we scan
The probe sends the string
OPTIONS and listens for the response payload.
You can mimic our scan with
nmap --script=sip-methods -sU -p 5060 <targets>, but it should be noted that we are only testing the
You can read more on SIP DDoS amplification research by Phenomite here.
We do not perform any intrusive checks on a discovered service.
You can track latest SIP scan results on the Shadowserver Dashboard.
You can also track SIP DDoS amplification abuse on our Dashboard, as seen by honeypot sensors.
Consider restricting access to port 5060/udp to trusted IPs.
In our scans we only check for service availability and potential amplification factor. However, SIP configuration has also many additional security considerations which you should take into account. These include brute-forcing credentials and getting access to SIP extensions and subsequent call fraud. You can read more on analysis of various SIP attack seen in the wild in CERT.BR’s paper here. For a broader set of recommendations on VoIP security practices, check out for example this article with 32 Proven VOIP Security Best Practices. Consult your vendor for security device configuration options.
For more information on our scanning efforts, check out our Internet scanning summary page.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
This report has an IPv4 version only.