This post may seem a little ironic, considering that I just posted info on some new SIP-based tools we built, but I wanted to rant a little about all the SIP attack tools that are out there. My team conducts VoIP security assessments for enterprises, and they have a huge collection of wicked SIP-based attack tools. If we are lucky enough to find some box listening on port 5060, its pretty much toast, considering all the DoS, fuzzing, hijacking, and so on tools that we and the community have access to.
That said, the proliferation of SIP-based attack tools has raised awareness of issues and made a lot of implementations more secure, at least to well known attacks like protocol fuzzing suites.
The reality is that most enterprises have very little, if any SIP. Of course there are some little-known SIP interfaces, like that between CME and CUE, some internal SIP trunking, and in some very rare cases, SIP to the service provider, but very little handset SIP. The vast majority of the protocols you run into include H.323 (inlcuding proprietary mutations), SCCP, Unistim, MGCP, etc. What the community needs are more tools that can be used to test for vulnerabilities on the protocols that are actually being used by enterprises. I am sure some of these exist, but I am not aware of many that are public. This is too bad, because I don't think customers understand how fragile some of these systems are. For example we have a tool that perform a "call flood" attack on one of these protocols and forces a reboot of a key VoIP system component. I suspect other folks, including the bad guys, have similar tools. I hope the VoIP security community can spend more time on these sorts of tools, to show enterprises where the vulnerabilities are, and in general, improve the security of these systems.
Of course there are many vectors of attack into a VoIP system, but the signaling (and media to some degree) are always lucrative, because they have to be exposed to the network.