Abstract
Traditional perimeter security solutions cannot cope with the com-plexity of VoIP protocols at carrier-class performance. We implemented a large-scale, rule-based SIP-aware application-layer-firewall capable of detect-ing and mitigating SIP-based Denial-of-Service (DoS) attacks at the signaling and media levels. The detection algorithms, implemented in a highly distributed hardware solution leveraged to obtain filtering rates in the order of hundreds of transactions per second, suggest carrier class performance. Firewall performs SIP traffic filtering against spoofing attacks; and request, response and out-of-state floods. The functionality and performance of the DoS prevention schemes were validated using a distributed test-bed and a custom-built, automated testing and analysis tool that generated high-volume signaling and media traffic, and performed fine grained measurements of filtering rates and load-induced delays of the system under test. The test-tool included SIP-based attack vectors of spoofed traffic, as-well-as floods of requests, responses and out-of-state message sequences. This paper also presents experimental results.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol, RFC 3261 (June 2002)
Baugher, M., McGrew, D., Naslund, M., Carrara, E., Norrman, K.: The Secure Real-time Transport Protocol (SRTP)., RFC 3711 (March 2004)
VOIPSA VoIP Security and Privacy Threat Taxonomy, http://www.voipsa.org/Activities/VOIPSA_Threat_Taxonomy_0.1.pdf
Worldwide, I.S.P.: Security Report, Arbor Networks (September 2005), http://www.arbor.net/downloads/Arbor_Worldwide_ISP_Security_Report.pdf
CERT Advisory CA-, -06 Multiple vulnerabilities in implementations of SIP (2003), http://www.cert.org/advisories/CA-2003-06.html
Wieser, C., Laakso, M., Schulzrinne, H.: Security testing of SIP implementations. Technical Report (February 20, 2005), http://www1.cs.columbia.edu/~library/TRrepository/reports/reports-2003/cucs-024-03.pdf
Roedig, U., Ackermann, R., Steinmetz, R.: Evaluating and Improving Firewalls for IP-Telephony Environments. In: IP-Telephony Workshop (IPTel) (April 2000)
Yardeni, E., Schulzrinne, H., Ormazabal, G.: SIP-aware Application Layer Firewall with Dynamic Pinholes for Media, Columbia Technical Report (2006), http://www.cs.columbia.edu/~hgs/papers/Yard06_Large.pdf
Yardeni, E., Patnaik, S., Schulzrinne, H., Ormazabal, G., Helms, D.: SIP-aware Application Layer Firewall with Dynamic Pinholes for Media, NANOG 38 (October 2006), http://www.nanog.org/mtg-0610/mcbride.html
Wu, Y., Bagchi, S., Garg, S., Singh, N., Tsai, T.K.: Scidive: A stateful and cross protocol intrusion detection architecture for VoIP environments. In: International Conference on Dependable Systems and Networks (June 2004)
Niccolini, S., Garroppo, R.G., Giordano, S., Risi, G., Ventura, S.: SIP Intrusion Detection and Prevention: Recommendations and Prototype Implementation. In: IEEE Workshop on VoIP Management and Security (April 2006)
Sengar, H., Wijesekera, D., Wang, H., Jajodia, S.: Intrusion Detection Through Interacting Protocol State Machines. In: International Conference on Dependable Systems and Networks (2006)
Nassar, M., State, R., Festor, O.: VoIP Honeypot Architecture. In: IEEE International Symposium on Integrated Network Management (May 2007)
Chen, E.Y.: Detecting DoS Attacks on SIP Systems. In: IEEE Workshop on VoIP Management and Security at NOMS (April 2006), http://www.comsoc.org/confs/noms/2006/docs/14_Chen.ppt
Sengar, H., Wijesekera, D., Wang, H., Jajodia, S.: Fast Detection of Denial-of-Service Attacks on IP Telephony. In: IEEE International Workshop on Quality of Service (June 2006)
Geneiatakis, D., Dagiouklas, A., Kambourakis, G., Lambrinoudakis, C., Gritzalis, S., Ehlert, S., Sisalem, D.: Survey of Security Vulnerabilities in Session Initiation Protocol. IEEE Communications Surveys and Tutorials 8(3) (2006)
Sisalem, D., Kuthan, J., Ehlert, S.: Denial of Service Attacks Targeting a SIP VoIP Infrastructure- Attack Scenarios and Prevention Mechanisms. IEEE Network Special Issue on Securing VoIPÂ 20(5) (2006)
CloudShield,CS- (2000), http://www.cloudshield.com/Products/cs2000.asp
Columbia InterNet Extensible Multimedia Architecture (CINEMA), http://www.cs.columbia.edu/IRT/cinema
Salsano, S., Veltri, L., Papalilo, D.: SIP security issues: the SIP authentication procedure and its processing load. IEEE Network 16(6) (2002)
Singh, K., Schulzrinne, H.: Failover and load sharing in SIP telephony. In: International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), Philadelphia, Pennsylvania (July 2005), http://www1.cs.columbia.edu/~kns10/publication/sipload.pdf
Schulzrinne, H., Narayanan, S., Lennox, J., Doyle, M.: SIPstone - benchmarking SIP server performance. sipstone 0402.pdf (April 2002), http://www.sipstone.org/files/
MySQL, Open Source SQL server, http://www.mysql.com
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ormazabal, G., Nagpal, S., Yardeni, E., Schulzrinne, H. (2008). Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems. In: Schulzrinne, H., State, R., Niccolini, S. (eds) Principles, Systems and Applications of IP Telecommunications. Services and Security for Next Generation Networks. IPTComm 2008. Lecture Notes in Computer Science, vol 5310. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89054-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-540-89054-6_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89053-9
Online ISBN: 978-3-540-89054-6
eBook Packages: Computer ScienceComputer Science (R0)