DENIAL OF SERVICE ATTACKS AND SIP INFRASTRUCTURE Attack Scenarios and Prevention Mechanisms

In this paper we address the issue of denial of service (DoS) attacks targeting the hardware and software of voice over IP servers or by misusing specific signaling protocol features. As a signaling protocol we investigate here the session initiation protocol (SIP). In this context we mainly identify attacks based on exhaustion of the memory of VoIP servers, attacks on the CPU or by causing excessive communication with external servers such as DNS or authentication servers. We address two kinds of attacks: wanted attacks caused by malicious users and unwanted attacks caused by network misconfigurations, broken implementations or any other unknowledgeable technology use. A major conclusion of the work is the knowledge that SIP provides a wide range of features that can be used to mount DoS attacks. Discovering these attacks is inherently difficult, as is the case with DoS attacks on other IP components. However, with adequate server design, efficient implementation and appropriate hardware the effects of a large portion of attacks can be reduced. Besides the server implementation and hardware we present different optimizations that reduce the need for contacting DNS servers using caches, policies and extensions to the SIP messages. Further, to reduce the risk of being attacked we describe issues of message monitoring and filtering as well as authentication approaches for different kinds of users.