SIP3 Monitoring and Analysis of STIR-SHAKEN

Robocallers and criminals can often alter or spoof the calling number of their outbound phone calls in order to deceive the called party. The deception can be as simple as changing the calling number so it appears that a neighbor is calling. That increases the chance that the called party will answer the robocall. In other cases, the deception may be more malicious. The fraudster can try to initiate a call impersonating a tax service or banking agent trying to steal tax refunds. Such practice of altering the calling number is known as spoofing.


Since 2014 the Federal Communications Commission (FCC) has been encouraging the telecommunication industry to come up with a solution that stops robocalls and spoofed calling numbers. That is how a new technology standard called STIR (Secure Telephony Identity Revisited) and SHAKEN (Secure Handling of Asserted information using toKENs) has been developed. The same defines how telephone service providers should implement the STIR technology to ensure calling numbers aren’t spoofed.

STIR and SHAKEN are telecom standards designed to enable service providers to cryptographically sign calls in the SIP (Session Initiation Protocol) header. STIR/SHAKEN aims at protecting consumers against fraud and abuse from robocallers.

Why is STIR-SHAKEN Becoming so Popular?

Fraud, robocalling abuse and legally spoofed robocalling, in particular, are the number one Federal Communications Commission (FDC) consumer complaint. The telecommunications industry is trying to combat the abuse through the adoption of the new industry standard. At the beginning of November 2018 FCC issued an official release urging service providers to implement the SHAKEN/STIR framework.

It is important to note that STIR/SHAKEN does not block calls, but rather serve as a tool that may provide indications of occurring fraud. However, legitimate calls such as services that consumers want and demand using (e.g. reminders for doctor appointments, emergency notifications, etc.) must not be blocked.

How Does STIR-SHAKEN Work?

A trusted public key is used to enhance the integrity of the originating call, identifying the data sent across networks. With STIR/SHAKEN, the SIP headers will contain a certain level of confidence indicator from the service provider side to notify whether the originating call party has the right to use the number via the attestation field. There are three levels of attestation that can be indicated by the originating service provider:

  • Full attestation (A) – the service provider has authenticated their customer originating the call and they are authorized to use the calling phone number
  • Partial attestation (B) – the service provider has authenticated their customer originating the call but can’t verify if they are authorized to use the calling number
  • Gateway attestation (C) – the service provider has authenticated from where it received the call, but can’t authenticate the call source.


In addition to that, the originating service provider provides data in the header to facilitate traceback, identifying where the call entered their network.

SIP3 Monitoring and Analysis of STIR-SHAKEN

The SIP3 team has been continuously making efforts to provide a solution to our customers for validating phone numbers and caller authenticity as well as reducing the instances of robocalls and spoofing. 

As part of the newly introduced User-Defined Function functionality, users can decode information from the identity header of a SIP Invite and build attestation reports.

In addition, each one of the STIR/SHAKEN attributes can be used to discover a chain of calls associated with it.

The example below showcases the usage of STIR-SHAKEN user-defined function.

STIR/SHAKEN User-Defined Function Example


package udf

import io.vertx.core.json.JsonObject

def BASE64_DECODER = Base64.decoder

vertx.eventBus().localConsumer("sip_message_udf", { event ->
    def packet = event.body()
    def sip_message = packet['payload']
    def request_line = sip_message['request-line']
    if (request_line != null && request_line.startsWith('INVITE')) {
        def identity_header = sip_message['identity']
        if (identity_header != null) {
            def payload = identity_header
            // Identity JSON Example:
            // {
            //   "attest": "A",
            //   "dest": {
            //            "tn": ["14045266060"]
            //           },
            //   "iat": 1548859982,
            //   "orig": {
            //            "tn": "18001234567"
            //           },
            //   "origid": "3a47ca23-d7ab-446b-821d-33d5deedbed4"
            // }
            def identity = new JsonObject(new String(BASE64_DECODER.decode(payload)))
            packet['attributes']['attest'] = identity.getString('attest')


This has not been our only attempt to protect our customers and their users from fraud attacks and robocalls. We have recently launched an integration with APIBAN – an open source platform for sharing and retrieving a list of fraud IP addresses.

For more information about how User-Defined function works, please visit the SIP3 documentation. If you have any questions, do not hesitate to contact us.

Tags: Categories: Fraud Detection Infrastructure SIP VoIP

Leave a Reply

Your email address will not be published. Required fields are marked *