Event Id | 16344 |
Source | Live Communications Server |
Description | At least one replayed message was detected. There were 1 replays in the last 0 minutes. The last one detected had the following FROM header: sip:username@domain.com. This could be due to a client or server which is not handling authentication correctly, or it could be due to an attacker replaying network messages. |
Event Information | This is due to the fact that when a user logs in, for the first time the request he sends to the server is not authenticated, for which the server sends a SIP challenge response to which the client provides the right credentials and establishes SA with the server. There is currently no good way to distinguish between the first unauthenticated request sent by a regular good client and requests sent by unauthenticated rogue client trying to attack the server. This event log just says how many unauthenticated requests the server received in the last x minutes. In proper deployments these are benign event logs generated by regular clients.But in the case of some kind of attack this event logs will give a hint of what is happening in the network. |
Reference Links |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.