A SIP OPTIONS flood is a layer 7 DDoS attack aimed to consume a targeted victim SIP user agent (server/client) resources in order to bring a DoS state to the SIP service.

By continually sending OPTIONS requests to a SIP UA over UDP, this attack aims to make it unavailable to handle new connections.

This DDoS attack is normally done by sending rapid OPTIONS requests to a SIP UA (server/client) within the network via UDP port 5060 (or any other working SIP port), from many attacking machines, making the SIP UA (server/client) respond back with SIP traffic. The resource consumption takes place on the victim SIP UA (server/client).

Technical Analysis

Image 1 shows a SIP Options request that uses UDP protocol with a destination port of 5060.

“Image 1 – Example of SIP OPTIONS Flood being sent via UDP port 5060

Image 2 highlights the SIP packet containing the request information.

“Image 2 – SIP Payload”

Analysis of a SIP OPTIONS UDP flood in Wireshark – Filters

Filter SIP OPTIONS packets – sip.Method == “OPTIONS” .
Go to Statistics -> Summary on the menu bar to understand the rate you are looking at.

Download Example PCAP of SIP OPTIONS UDP Flood

*Note: IPs have been randomized to ensure privacy.