A few cases of SIP dictionary attacks using the "friendly-scanner" have been reported recently. These appear to be active attempts to steal service.
We responded today to an attack on a nationwide Service Provider. They reported up to 69 REGISTERs per second originating from an IP address in Anhui province, China. 69 REGISTERs per second is roughly the equivalent load of 5,000 users.
Unfortunately for the victims, the "friendly scanner", SIPVicious runs very hot and fast, apparently blasting out lots of requests without even waiting for earlier attempts to fail. The SIPVicious tool is focused on cracking SIP PBXs, and will be only so slightly less effective on Carrier VoIP systems.
The main reports of problems due to SIP Registration scanning are server overloads. But if the registration scanner users are smart, they'll slow down their rates so they don't alarm the parties being probed.
How do you defend against SIP Registration storms?