Network Security Framework To Counter SIP Based Attacks (original) (raw)
Related papers
International Conference on Aerospace Sciences & Aviation Technology, 2013
Session Initiation Protocol (SIP) is application layer signaling text-based protocol used for creating, modifying, and terminating multimedia communications sessions (Internet telephone calls, instant messaging, and multimedia conferences) among Internet endpoints. SIP is defined by the Internet Engineering Task Force (IETF) and documented in RFC 3261. Unfortunately, SIP-based application services using IP network are not only exposed to the security vulnerabilities inherited from IP but also exposed to new security vulnerabilities inherited from SIP. In this paper we present the most important security vulnerabilities, threats, and attacks against SIP-multimedia communications systems. Our goal is to provide roadmap to the interested persons for understanding existing capabilities, and identifying the gaps and vulnerabilities in SIP, We illustrate how these vulnerabilities can be exploited to compromise the security of SIP-based systems. Then we focus on Denial of Service (DoS) attacks that impact service availability along with the main detection techniques for these attacks.
Review of SIP based DoS attacks
International Journal of Computer Applications Technology and Research, 2016
The Voice over Internet Protocol (VoIP). The VoIP is relatively new and is gaining more and more popularity as it offers a wide range of features and is much more cost effective as compared to the traditional PSTN. But the VoIP brings with it certain security threats which need to be resolved in order to make it a more reliable source of communication. Session Initiation Protocol (SIP) today is considered the standard protocol for multimedia signaling, and the result is a very generic protocol. SIP is specified by the IETF in RFC 3261. From a structural and functional perspective, SIP is application layer signaling text-based protocol used for creating, modifying, and terminating multimedia communications sessions among Internet endpoints. Unfortunately, SIP-based application services can suffer from various security threats as Denial of Service (DoS). attacks on a SIP based VoIP infrastructure that can severely compromise its reliability. In contrast, little work is done to analyze the robustness and reliability of SIP severs under DoS attacks. In this survey, we are discussing the DoS flooding attack on SIP server. Firstly, we present a brief overview about the SIP protocol. Then, security attacks related to SIP protocol. After that, detection techniques of SIP flooding attack and various exploited resources due to attack were discussed and finally the paper reviews previous work done on SIP based DoS attacks.
Towards a Security Model against Denial of Service Attacks for SIP Traffic
2018
Nowadays, security threats in Voice over IP (VoIP) systems are an essential and latent concern for people in charge of security in a corporate network, because, every day, new Denial-ofService (DoS) attacks are developed. These affect the business continuity of an organization, regarding confidentiality, availability, and integrity of services, causing frequent losses of both information and money. The purpose of this study is to establish the necessary measures to mitigate DoS threats, which affect the availability of VoIP systems, based on the Session Initiation Protocol (SIP). A Security Model called MS-DoS-SIP is proposed, which is based on two approaches. The first one analyzes the recommendations of international security standards. The second approach takes into account weaknesses and threats. The implementation of this model in a VoIP simulated system allowed to minimize the present vulnerabilities in 92% and increase the availability time of the VoIP service into an organiz...
Detecting Denial of Service Attacks on SIP Based Services and Proposing Solutions
Technologies for Protecting Networks, 2012
One of the main goals of employing Next Generation Networks (NGN) is an integrated access to the multimedia services like Voice over IP (VoIP), and IPTV. The primary signaling protocol in these multimedia services is Session Initiation Protocol (SIP). This protocol, however, is vulnerable to attacks, which may impact the Quality of Service (QoS), which is an important feature in NGN. One of the most frequent attacks is Denial of Service (DoS) attack, which is generated easily, but its detection is not trivial. In this chapter, a framework is proposed to detect Denial of Service attacks and a few other forms of intrusions, and then we react accordingly. The proposed detection engine combines the specification-and anomaly-based intrusion detection techniques. The authors set up a test-bed and generate a labeled dataset.
Survey of Countering DoS/DDoS Attacks on SIP Based VoIP Networks
Electronics
Voice over IP (VoIP) services hold promise because of their offered features and low cost. Most VoIP networks depend on the Session Initiation Protocol (SIP) to handle signaling functions. The SIP is a text-based protocol that is vulnerable to many attacks. Denial of Service (DoS) and distributed denial of service (DDoS) attacks are the most harmful types of attacks, because they drain VoIP resources and render SIP service unavailable to legitimate users. In this paper, we present recently introduced approaches to detect DoS and DDoS attacks, and classify them based on various factors. We then analyze these approaches according to various characteristics; furthermore, we investigate the main strengths and weaknesses of these approaches. Finally, we provide some remarks for enhancing the surveyed approaches and highlight directions for future research to build effective detection solutions.
i Detecting Denial of Service Message Flooding Attacks in SIP based Services
2016
Increasing the popularity of SIP based services (VoIP, IPTV, IMS infrastructure) lead to concerns about its security. The main signaling protocol of next generation networks and VoIP systems is Session Initiation Protocol (SIP). Inherent vulnerabilities of SIP, misconfiguration of its related components and also its implementation deficiencies cause some security concerns in SIP based infrastructures. New attacks are developed that target directly the underlying SIP protocol in these related SIP setups. To detect such kinds of attacks we combined anomaly-based and specification-based intrusion detection techniques. We took advantages of the SIP state machine concept (according to RFC 3261) in our proposed solution. We also built and configured a real test-bed for SIP based services to generate normal and assumed attack traffics. We validated and evaluated our intrusion detection system with the dump traffic of this real test-bed and we also used another specific available dataset to have a more comprehensive evaluation. The experimental results show that our approach is effective in classifying normal and anomaly traffic in different situations. The Receiver Operating Characteristic (ROC) analysis is applied on final extracted results to select the working point of our system (set related thresholds).
Zenodo (CERN European Organization for Nuclear Research), 2023
ESOBSTEB SIP-DDoS defense tool is an internet attack based defense tool that has four components, the acronym "ESOBSTEB" came from the four components which are: enhanced SIP proxy server and an enhanced application layer stateless firewall, outer attack blocking (OB) component, service traceback architecture (STBA) and entropy based (EB) component. The increasing usage of SIP servers for multimedia transmissions has resulted in a high and frequent experience of Distributed Denial of Service (DDoS) attacks. The drive to curb the menace caused by Distributed denial of service (DDoS) attack which are threats resulting in huge damages on legitimate Internet usage and civil security in the last decade has been the objective of most network security researchers from academia, industry and also governmental organizations. This research study intend to fix this gap by first identifying and detecting the Flood based SIP-App (D)DoS attacks and create a defense mechanisms against them using the four components. The enhanced SIP proxy server updates the firewall with the IP addresses of legitimate users and alerts the firewall when a legitimate user IP address expires and should be removed from the list. The second component of the framework that will be deployed at the edge router compares and examines the IP source of the incoming request according to its blacklist database table and blocks or forwards it to the next part of the framework. The third part of the framework validates whether the incoming request is launched by a human (real web browser) or by an automated tool (bots) and it traces back the incoming request in order to find out the true IP attacking source. The forth part of the framework detects anomalies in SIP network traffic and to differentiate whether it is high rate DDoS (HR-DDoS) attacks or flash crowd (FC) attacks. In case EB classifies that the incoming SIP network traffic is high rate SIP DoS/DDoS (HR-DDoS) attacks, it blocks it immediately. Whereas if EB classifies that the incoming SIP network traffic is flash crowd (FC) attacks, it decreases the maximum connection's timeout value and decreases the maximum allowed request per this timeout, until these two values reach zero. Once the values of the timeout and the maximum allowed requests reach zero, EB component disables KeepAlive feature of SIP connection. The framework will be simulated with practical experiments of AntiDDoS_Shield system on NS2 simulation environment.
Detecting Denial of Service message flooding attacks in SIP based services
Increasing the popularity of SIP based services (VoIP, IPTV, IMS infrastructure) lead to concerns about its security. The main signaling protocol of next generation networks and VoIP systems is Session Initiation Protocol (SIP). Inherent vulnerabilities of SIP, misconfiguration of its related components and also its implementation deficiencies cause some security concerns in SIP based infrastructures. New attacks are developed that target directly the underlying SIP protocol in these related SIP setups. To detect such kinds of attacks we combined anomaly-based and specification-based intrusion detection techniques. We took advantages of the SIP state machine concept (according to RFC 3261) in our proposed solution. We also built and configured a real test-bed for SIP based services to generate normal and assumed attack traffics. We validated and evaluated our intrusion detection system with the dump traffic of this real test-bed and we also used another specific available dataset to have a more comprehensive evaluation. The experimental results show that our approach is effective in classifying normal and anomaly traffic in different situations. The Receiver Operating Characteristic (ROC) analysis is applied on final extracted results to select the working point of our system (set related thresholds).
Evaluating DoS Attacks against Sip-Based VoIP Systems
GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference, 2009
The multimedia communication is rapidly converging towards Voice over Internet-commonly known as Voice over Internet Protocol (VoIP). Session Initiation Protocol (SIP) is the standard used for session signaling in VoIP. Crafty attackers can launch a number of Denial of Service (DoS) attacks on a SIP based VoIP infrastructure that can severely compromise its reliability. In contrast, little work is done to analyze the robustness and reliability of SIP severs under DoS attacks. In this paper, we show that the robustness and reliability of generic SIP servers is inadequate than commonly perceived. We have done our study using a customized analysis tool that has the ability to synthesize and launch different types of attacks. We have integrated the tool in a real SIP test bed environment to measure the performance of SIP servers. Our measurements show that a standard SIP server can be easily overloaded by sending simple call requests. We define the performance metrics to measure the effects of flooding attacks on real time services-VoIP in SIP environment-and show the results on different SIP server implementations. Our results also provide insight into resources' usage by SIP servers under flooding attacks. Moreover, we show that how a well known open source SIP server can be crashed through 'INVITE of Death'-a malformed SIP packet maliciously crafted by our tool. 1 We define breaking point as an attack scenario in which only 50% of the requested calls are completed.
Journal of Internet Technology, 2016
IP Multimedia Subsystem (IMS) is a standardized Next Generation Networking (NGN) architecture. It takes Session Initiation Protocol (SIP) as the core signaling protocol of IMS and NGN. With IMS networks widespread deployment, SIP flooding attacks are becoming into a major threat to IMS network. However, the existing SIP flooding attack detection schemes are inefficient for detecting lowrate SIP flooding attacks and are lacking in poor recovery for detecting high-rate SIP flooding attacks. In this paper, we propose a novel SIP flooding attack detection scheme with the internal and external detection features in IMS networks, called SFADS (SIP flooding attack detection scheme). In SFADS, based on the analysis of SIP flooding attacks, we first extract the abrupt change of SIP session request as the external detection feature, and the abnormal abrupt change of difference between the sequence of legitimate SIP session establishment and the SIP session request messages as the internal det...