Support Center > Search Results > SecureKnowledge Details
Dropped SIP traffic with "Attack: Malformed SIP datagram" and "Attack information: "Illegal 'FROM' user in request packet""
Symptoms
  • VoIP SIP traffic is dropped by IPS with the following log:

    Attack: Malformed SIP datagram
    Attack information: "Illegal 'FROM' user in request packet"
    
  • Kernel debug ('fw ctl debug -m fw + vm drop') shows that the traffic is fully accepted, but it does not pass through the Security Gateway

  • Kernel debug ('fw ctl debug -m fw + sip') shows:

    ;sip_get_user_ex : '+' found. skipping it;
    ;sip_get_user_ex: User contains a reserved character;
    ;sip_send_log_bad_conn_ex : Sending log with info Invalid or no SIP users;
    
Cause

VoIP SIP traffic that has more than one '+' or '&' character in the 'FROM' or 'TO' part of the header of SIP 'OPTION' packet is not processed properly if the 'FROM' or 'TO' part does not contain the '@' character - i.e., when there is no user (anonymous user).

Example from kernel debug: 

  • To: <sip:192.168.10.22>;tag=s+1+1720002+723224dc
  • From<sip:192.168.40.66:5060;transport=udp;lr>;tag=sip+1+aba0e0a+f5e6cd3e

Solution
Note: To view this solution you need to Sign In .