When initiating VoIP communications with SIP, the first part of establishing a call is that the sending or initiating system sends a SIP INVITE request. The receiving or called system then sends a SIP response. The response could be that the phone is ringing, or that the call is being forwarded, or a variety of other options. One set of response codes tell the initiating SIP device that the call should be redirected. Here are some examples of SIP Redirection responses:

• 301  -  Move Permanently
• 302  -  Moved Temporarily
• 305  -  Use Proxy
• 380  -  Alternative Service 

If an attacker is able to monitor or intercept the SIP INVITE requests (by executing a MitM attack for example), they can then spoof the INVITE response and get the initiating SIP device to reroute or redirect the call. These attacks are possible from the external Internet, particularly when using SIP trunking to connect with the VoIP provider directly, but are more likely to occur successfully from attackers who already have access to the internal network. A Call Redirection attack could be used to do any of the following:

• Denial-of-Service: redirect calls to a non-existent destination
• Disrupt Communications: redirect calls to some other random destination
• Intercept Calls: redirect calls to a rogue device and spoof the intended call recipient