Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems

Traditional perimeter security solutions cannot cope with the com-plexity of VoIP protocols at carrier-class performance. We implemented a large-scale, rule-based SIP-aware application-layer-firewall capable of detect-ing and mitigating SIP-based Denial-of-Service (DoS) attacks at the signaling and media levels. The detection algorithms, implemented in a highly distributed hardware solution leveraged to obtain filtering rates in the order of hundreds of transactions per second, suggest carrier class performance. Firewall performs SIP traffic filtering against spoofing attacks; and request, response and out-of-state floods. The functionality and performance of the DoS prevention schemes were validated using a distributed test-bed and a custom-built, automated testing and analysis tool that generated high-volume signaling and media traffic, and performed fine grained measurements of filtering rates and load-induced delays of the system under test. The test-tool included SIP-based attack vectors of spoofed traffic, as-well-as floods of requests, responses and out-of-state message sequences. This paper also presents experimental results.

[1]  Costas Lambrinoudakis,et al.  Survey of security vulnerabilities in session initiation protocol , 2006, IEEE Communications Surveys & Tutorials.

[2]  J. Rosenberg,et al.  Session Initiation Protocol , 2002 .

[3]  Baugher The Secure Real-Time Transport Protocol , 2003 .

[4]  Henning Schulzrinne,et al.  SIPstone: Benchmarking SIP Server Performance , 2002 .

[5]  Henning Schulzrinne,et al.  Security testing of SIP implementations , 2003 .

[6]  Sushil Jajodia,et al.  VoIP Intrusion Detection Through Interacting Protocol State Machines , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[7]  Wang Fu-rong Stream Media Intrusion Detection through Interacting Protocol State Machines , 2009 .

[8]  S. Ventura,et al.  SIP intrusion detection and prevention: recommendations and prototype implementation , 2006, 1st IEEE Workshop on VoIP Management and Security, 2006..

[9]  Ralf Steinmetz,et al.  Evaluating and improving firewalls for IP-telephony environments , 2000 .

[10]  E.Y. Chen Detecting DoS attacks on SIP systems , 2006, 1st IEEE Workshop on VoIP Management and Security, 2006..

[11]  Radu State,et al.  VoIP Honeypot Architecture , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[12]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[13]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[14]  Henning Schulzrinne,et al.  Failover and Load Sharing in SIP Telephony , 2004 .

[15]  Sushil Jajodia,et al.  Fast Detection of Denial-of-Service Attacks on IP Telephony , 2006, 200614th IEEE International Workshop on Quality of Service.

[16]  Dorgham Sisalem,et al.  Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms , 2006, IEEE Network.

[17]  Mats Näslund,et al.  The Secure Real-time Transport Protocol (SRTP) , 2004, RFC.

[18]  Luca Veltri,et al.  SIP security issues: the SIP authentication procedure and its processing load , 2002 .