Denial-of-service detection and mitigation for SIP communication networks

The Session Initiation Protocol (SIP) is the multimedia communication protocol of the future. Used for Voice-over-IP (VoIP), Internet Multimedia Subsystem (IMS) and Internet Protocol Television (IPTV), its concepts are based on mature and open standards and its use is increasing rapidly within recent years. However, with its acceptance as a mainstream communication platform, security concerns become ever more important for users and service providers. In this thesis we identify different attacks on SIP-based networks with the focus on Denial-of-Service attacks (DoS) flooding attacks. We evaluate SIP infrastructure for DoS attack possibilities and demonstrate a completely new attack which utilises a combination of the SIP and Domain Name Service (DNS) system. We propose three different DoS detection and mitigation schemes, including one to handle this particular SIP DNS attack. We also provide a first step into Distributed DoS mitigation by introducing a firewall pinholing scheme. Distributed DoS mitigation is only marginally addressed by current research works. We also evaluate the requirements for a self-sufficient and scalable SIP security framework, where attack countermeasures can be evaluated and tested. We use this framework for our solutions and validate their effectiveness for DoS mitigation. With these solutions, general SIP networks will be more robust against flooding DoS and Distributed DoS attacks.

[1]  Henning Schulzrinne,et al.  Session Initiation Protocol (SIP): Locating SIP Servers , 2002, RFC.

[2]  Alan B. Johnston,et al.  SIP: Understanding the Session Initiation Protocol , 2001 .

[3]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[4]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[5]  Sushil Jajodia,et al.  Detecting VoIP Floods Using the Hellinger Distance , 2008, IEEE Transactions on Parallel and Distributed Systems.

[6]  Radu State,et al.  Holistic VoIP intrusion detection and prevention system , 2007, IPTComm '07.

[7]  Henning Schulzrinne,et al.  Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems , 2008, IPTComm.

[8]  Paul V. Mockapetris,et al.  Domain names - concepts and facilities , 1987, RFC.

[9]  Pekka Nikander,et al.  Stateless connections , 1997, ICICS.

[10]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[11]  Jonathan D. Rosenberg,et al.  A Hitchhiker's Guide to the Session Initiation Protocol (SIP) , 2009, RFC.

[12]  Hong Liu,et al.  Using E.164 numbers with the Session Initiation Protocol (SIP) , 2004, RFC.

[13]  Yacine Rebahi,et al.  Performance analysis of identity management in the Session Initiation Protocol (SIP) , 2008, 2008 IEEE/ACS International Conference on Computer Systems and Applications.

[14]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[15]  Radu State,et al.  KiF: a stateful SIP fuzzer , 2007, IPTComm '07.

[16]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[17]  Costas Lambrinoudakis,et al.  A framework for protecting a SIP-based infrastructure against malformed message attacks , 2007, Comput. Networks.

[18]  Luca Veltri,et al.  SIP security issues: the SIP authentication procedure and its processing load , 2002, IEEE Netw..

[19]  R. Fielding,et al.  Architectural Styles and the Design of Network-based Software Architectures (CHAPTER 5) , 2000 .

[20]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[21]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[22]  H. Anthony Chan,et al.  A Hybrid, Stateful and Cross-Protocol Intrusion Detection System for Converged Applications , 2007, OTM Conferences.

[23]  Robert J. Sparks,et al.  The Session Initiation Protocol (SIP) Referred-By Mechanism , 2004, RFC.

[24]  Georgios Kambourakis,et al.  Two layer Denial of Service prevention on SIP VoIP infrastructures , 2008, Comput. Commun..

[25]  Thomas Magedanz,et al.  Intrusion Detection System for Denial-of-Service flooding attacks in SIP communication networks , 2009, Int. J. Secur. Networks.

[26]  Bruce Potter Open Source Firewalls: Open source firewall alternatives , 2006 .

[27]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[28]  Bogdan Materna Proactive Security for VoIP Networks , 2006, Inf. Secur. J. A Glob. Perspect..

[29]  Stephen F. Bush,et al.  Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics , 2005, Journal of Network and Systems Management.

[30]  Radu State,et al.  Intrusion detection mechanisms for VoIP applications , 2006, ArXiv.

[31]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[32]  Thomas Magedanz,et al.  VoIP defender: highly scalable SIP-based security architecture , 2007, IPTComm '07.

[33]  E. S. Page CONTINUOUS INSPECTION SCHEMES , 1954 .

[34]  Moti Yung,et al.  Scalability and flexibility in authentication services: the KryptoKnight approach , 1997, Proceedings of INFOCOM '97.

[35]  Mohamed G. Gouda,et al.  Removing Redundancy from Packet Classifiers , 2004 .

[36]  Xuxian Jiang,et al.  Billing Attacks on SIP-Based VoIP Systems , 2007, WOOT.

[37]  Sven Ehlert,et al.  Analysis and Signature of Skype VoIP Session Traffic , 2006 .

[38]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[39]  Christopher Leckie,et al.  CPU-based DoS attacks against SIP servers , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[40]  Yan Bai,et al.  A survey of VoIP intrusions and intrusion detection systems , 2004, The 6th International Conference on Advanced Communication Technology, 2004..

[41]  Christian Huitema,et al.  STUN - Simple Traversal of UDP Through NATs , 2002 .

[42]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[43]  Guiping Su,et al.  Intrusion detection system for signal based SIP attacks through timed HCPN , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[44]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[45]  Daniel Hoffman,et al.  Testing iptables , 2003, CASCON.

[46]  Jürgen Quittek,et al.  Detecting SPIT Calls by Checking Human Communication Patterns , 2007, 2007 IEEE International Conference on Communications.

[47]  J. Kadlecsik,et al.  Netfilter Performance Testing , 2004 .

[48]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[49]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[50]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[51]  Abraham Silberschatz,et al.  Operating System Concepts , 1983 .

[52]  Vesselin Tzvetkov,et al.  Service Provider Implementation of SIP Regarding Security , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[53]  Olivier Hersent The Session Initiation Protocol (SIP) , 2010 .

[54]  Xuxian Jiang,et al.  Voice pharming attack and the trust of VoIP , 2008, SecureComm.

[55]  Yacine Bouzida,et al.  A Framework for Detecting Anomalies in VoIP Networks , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[56]  Hong Yan,et al.  Incorporating Active Fingerprinting into SPIT Prevention Systems , 2006 .

[57]  Henning Schulzrinne,et al.  An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol , 2004, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[58]  Muhammad Sher,et al.  Detecting flooding attacks against IP Multimedia Subsystem (IMS) networks , 2008, 2008 IEEE/ACS International Conference on Computer Systems and Applications.

[59]  Ronald L. Rardin,et al.  Optimization in operations research , 1997 .

[60]  Costas Lambrinoudakis,et al.  A framework for detecting malformed messages in SIP networks , 2005, 2005 14th IEEE Workshop on Local & Metropolitan Area Networks.

[61]  Jianying Zhou,et al.  Design and optimize firewall for mobile networks , 2004, IEEE 60th Vehicular Technology Conference, 2004. VTC2004-Fall. 2004.

[62]  Kristian Beckers,et al.  Testing Dialog-Verification of SIP Phones with Single-Message Denial-of-Service Attacks , 2008 .

[63]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[64]  Costas Lambrinoudakis,et al.  A First Order Logic Security Verification Model for SIP , 2009, 2009 IEEE International Conference on Communications.

[65]  Vitaly Shmatikov,et al.  Security Analysis of Voice-over-IP Protocols , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[66]  Ari Juels,et al.  $evwu Dfw , 1998 .

[67]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[68]  Hu Yuqi,et al.  Caching on the World Wide Web , 2003 .

[69]  E. Hellinger,et al.  Neue Begründung der Theorie quadratischer Formen von unendlichvielen Veränderlichen. , 1909 .

[70]  Klaus-Robert Müller,et al.  A Self-learning System for Detection of Anomalous SIP Messages , 2008, IPTComm.

[71]  Henning Schulzrinne,et al.  Session Initiation Protocol (SIP) , 2003 .

[72]  Tsang-Long Pao,et al.  NetFlow based intrusion detection system , 2004, IEEE International Conference on Networking, Sensing and Control, 2004.

[73]  Mudhakar Srivatsa,et al.  SERvartuka: Dynamic Distribution of State to Improve SIP Server Scalability , 2008, 2008 The 28th International Conference on Distributed Computing Systems.

[74]  Nathaniel S. Borenstein,et al.  Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies , 1996, RFC.

[75]  Thomas Magedanz,et al.  Increasing SIP firewall performance by ruleset size limitation , 2008, 2008 IEEE 19th International Symposium on Personal, Indoor and Mobile Radio Communications.

[76]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[77]  Henning Schulzrinne,et al.  Security testing of SIP implementations , 2003 .

[78]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[79]  Paul Vixie,et al.  A DNS RR for specifying the location of services (DNS SRV) , 1996, RFC.

[80]  Ge Zhang,et al.  Revealing the Calling History of SIP VoIP Systems by Timing Attacks , 2009, 2009 International Conference on Availability, Reliability and Security.

[81]  Mark Handley,et al.  SDP: Session Description Protocol , 1998, RFC.

[82]  Travis Russell Session Initiation Protocol (SIP): Controlling Convergent Networks , 2008 .

[83]  Zhan Zhang,et al.  Reducing the Size of Rule Set in a Firewall , 2007, 2007 IEEE International Conference on Communications.

[84]  Robert J. Sparks,et al.  The Session Initiation Protocol (SIP) Refer Method , 2003, RFC.

[85]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[86]  Thomas Magedanz,et al.  Denial of service attack and prevention on SIP VoIP infrastructures using DNS flooding , 2007, IPTComm '07.

[87]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[88]  Jon Peterson,et al.  Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP) , 2006, RFC.

[89]  S. Ventura,et al.  SIP intrusion detection and prevention: recommendations and prototype implementation , 2006, 1st IEEE Workshop on VoIP Management and Security, 2006..

[90]  Cullen Jennings,et al.  The Session Initiation Protocol (SIP) and Spam , 2008, RFC.

[91]  E.Y. Chen,et al.  Detecting DoS attacks on SIP systems , 2006, 1st IEEE Workshop on VoIP Management and Security, 2006..

[92]  Pekka Nikander,et al.  Towards Network Denial of Service Resistant Protocols , 2000, SEC.

[93]  Sushil Jajodia,et al.  Fast Detection of Denial-of-Service Attacks on IP Telephony , 2006, 200614th IEEE International Workshop on Quality of Service.

[94]  Dave Burke Session Initiation Protocol (SIP) , 2007 .

[95]  Yuguang Fang,et al.  Security analysis and enhancements of 3GPP authentication and key agreement protocol , 2005, IEEE Trans. Wirel. Commun..

[96]  William Allen Simpson,et al.  Photuris: Session-Key Management Protocol , 1999, RFC.

[97]  Sushil Jajodia,et al.  VoIP Intrusion Detection Through Interacting Protocol State Machines , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[98]  S. Ehlert,et al.  Specification-Based Denial-of-Service Detection for SIP Voice-over-IP Networks , 2008, 2008 The Third International Conference on Internet Monitoring and Protection.

[99]  Georg Carle,et al.  A cooperative SIP infrastructure for highly reliable telecommunication services , 2007, IPTComm '07.

[100]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[101]  Costas Lambrinoudakis,et al.  Survey of security vulnerabilities in session initiation protocol , 2006, IEEE Communications Surveys & Tutorials.

[102]  Umesh Chejara,et al.  Performance Comparison of Different Cache-Replacement Policies for Video Distribution in CDN , 2004, HSNMC.

[103]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[104]  Alan B. Johnston,et al.  Internet Communications Using SIP: Delivering VoIP and Multimedia Services with Session Initiation Protocol , 2006 .

[105]  D. Sisalem,et al.  SIP Spam Detection , 2006, International Conference on Digital Telecommunications (ICDT'06).