Utilizing bloom filters for detecting flooding attacks against SIP based services

Any application or service utilizing the Internet is exposed to both general Internet attacks and other specific ones. Most of the times the latter are exploiting a vulnerability or misconfiguration in the provided service and/or in the utilized protocol itself. Consequently, the employment of critical services, like Voice over IP (VoIP) services, over the Internet is vulnerable to such attacks and, on top of that, they offer a field for new attacks or variations of existing ones. Among the various threats-attacks that a service provider should consider are the flooding attacks, at the signaling level, which are very similar to those against TCP servers but have emerged at the application level of the Internet architecture. This paper examines flooding attacks against VoIP architectures that employ the Session Initiation Protocol (SIP) as their signaling protocol. The focus is on the design and implementation of the appropriate detection method. Specifically, a bloom filter based monitor is presented and a new metric, named session distance, is introduced in order to provide an effective protection scheme against flooding attacks. The proposed scheme is evaluated through experimental test bed architecture under different scenarios. The results of the evaluation demonstrate that the required time to detect such an attack is negligible and also that the number of false alarms is close to zero.

[1]  Thomas Magedanz,et al.  VoIP defender: highly scalable SIP-based security architecture , 2007, IPTComm '07.

[2]  Chou Chen Yang,et al.  Secure authentication scheme for session initiation protocol , 2005, Comput. Secur..

[3]  Henning Schulzrinne,et al.  Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems , 2008, IPTComm.

[4]  Guiping Su,et al.  Intrusion detection system for signal based SIP attacks through timed HCPN , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[5]  Yacine Bouzida,et al.  A Framework for Detecting Anomalies in VoIP Networks , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[6]  Tei-Wei Kuo,et al.  Design and Implementation of SIP Security , 2005, ICOIN.

[7]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[8]  S. Ehlert,et al.  Specification-Based Denial-of-Service Detection for SIP Voice-over-IP Networks , 2008, 2008 The Third International Conference on Internet Monitoring and Protection.

[9]  Dorgham Sisalem,et al.  Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms , 2006, IEEE Network.

[10]  Virgil D. Gligor A Note on Denial-of-Service in Operating Systems , 1984, IEEE Transactions on Software Engineering.

[11]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[12]  Henning Schulzrinne,et al.  Security testing of SIP implementations , 2003 .

[13]  Costas Lambrinoudakis,et al.  A lightweight protection mechanism against signaling attacks in a SIP-based VoIP environment , 2007, Telecommun. Syst..

[14]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[15]  Wojciech Mazurczyk,et al.  New VoIP Traffic Security Scheme with Digital Watermarking , 2006, SAFECOMP.

[16]  Feng Cao,et al.  Providing response identity and authentication in IP telephony , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[17]  John W. Lockwood,et al.  Deep packet inspection using parallel Bloom filters , 2003, 11th Symposium on High Performance Interconnects, 2003. Proceedings..

[18]  J. Rosenberg,et al.  Session Initiation Protocol , 2002 .

[19]  Lawrence C. Stewart,et al.  An Extension to HTTP : Digest Access Authentication , 1997, RFC.

[20]  Jeff Hodges,et al.  Using SAML to protect the session initiation protocol (SIP) , 2006, IEEE Network.

[21]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[22]  Dipak Ghosal,et al.  Secure IP Telephony using Multi-layered Protection , 2003, NDSS.

[23]  LambrinoudakisCostas,et al.  Utilizing bloom filters for detecting flooding attacks against SIP based services , 2009 .

[24]  Jon Peterson,et al.  Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP) , 2006, RFC.

[25]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[26]  Christopher Leckie,et al.  CPU-based DoS attacks against SIP servers , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[27]  Costas Lambrinoudakis,et al.  Survey of security vulnerabilities in session initiation protocol , 2006, IEEE Communications Surveys & Tutorials.

[28]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[29]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[30]  E.Y. Chen,et al.  Detecting DoS attacks on SIP systems , 2006, 1st IEEE Workshop on VoIP Management and Security, 2006..

[31]  Wei Chen,et al.  A novel approach to detecting DDoS Attacks at an Early Stage , 2006, The Journal of Supercomputing.

[32]  Costas Lambrinoudakis,et al.  A framework for protecting a SIP-based infrastructure against malformed message attacks , 2007, Comput. Networks.

[33]  A. Bremler-Barr,et al.  Unregister Attacks in SIP , 2006, 2006 2nd IEEE Workshop on Secure Network Protocols.

[34]  Li Fan,et al.  Summary cache: a scalable wide-area web cache sharing protocol , 2000, TNET.

[35]  S. Ventura,et al.  SIP intrusion detection and prevention: recommendations and prototype implementation , 2006, 1st IEEE Workshop on VoIP Management and Security, 2006..

[36]  Sushil Jajodia,et al.  Fast Detection of Denial-of-Service Attacks on IP Telephony , 2006, 200614th IEEE International Workshop on Quality of Service.

[37]  Yuqing Zhang,et al.  A new provably secure authentication and key agreement protocol for SIP using ECC , 2009, Comput. Stand. Interfaces.

[38]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.