Skip to content

SIP toll fraud

Stop SIP toll fraud before it drains your trunk balance.

Toll fraud crews scan millions of SIP endpoints daily. SipRadar surfaces their infrastructure in real time from 214 global honeypots, then feeds your Fail2Ban, iptables, or Kamailio edge before the first fraudulent INVITE lands.

Why generic blocklists miss VoIP fraud

SIP toll fraud uses dedicated infrastructure that rarely appears on email or web reputation feeds. Attackers rotate through compromised hosts, spoof friendly user-agents, and hammer REGISTER and INVITE on ports 5060–5062. By the time a generic IP list flags them, your carrier has already billed thousands in premium-rate calls.

VoIP-native detection from live honeypots

SipRadar honeypots emulate real PBX behavior and record every SIP probe. Our threat graph scores each source 0–100 based on brute-force patterns, premium-rate routing attempts, and known fraud ASNs. High-confidence attackers stream to GET /v1/threats and blacklist.txt within seconds.

How SipRadar helps

Real-time SIP threat feed

Watch live attacks on the dashboard or pull JSON via API. Filter by country, port, and threat score. Export filtered events to CSV for your SIEM.

Automated edge blocking

Ship ready-made Fail2Ban jails, iptables sets, and Kamailio dispatcher rules. Block fraud sources at the network edge before they reach your dial plan.

PBX exposure audits

Run remote scans against your public SIP endpoint to find weak credentials, open extensions, and TLS misconfigurations that fraud crews exploit first.

Low false-positive rate

Unlike generic reputation lists, SipRadar only scores SIP-specific behavior, so legitimate carrier peers and your own monitoring tools stay off the blocklist.

Integrate in minutes

Pull GET /v1/blacklist.txt into cron, wire Fail2Ban to our threat API, or stream WebSocket events on Active Defense and Enterprise plans. No agents on your PBX; just pull-based or push-based defense at the edge.

FAQ

Frequently asked questions

Common questions about SIP toll fraud and how SipRadar fits your VoIP security stack.

Ask a question →
  • Honeypot events appear in the live feed within seconds. API consumers on paid plans receive real-time updates; Community tier includes a 48-hour delayed feed suitable for research.