Design and Implementation of SIP-awareDDoS Attack Detection System

Introduction:

• SIP is a signaling protocol that controls session establishment, modification, and termination of multimedia services.

• Since SIP based application service are provided by IP network, it should not only exposed to security vulnerabilities of IP but also it should also secure the Sip vulnerabilities.

• This paper explains how SIP should be prevented from DDoS (Distributed Denial of service) attack detection system.

• Contents of this paper are:

Characteristics of SIP, DDoS attack patterns.

Considerations and design issues of SIP-aware DDoS attack detection.

Currently implemented systems.

Characteristics of SIP

• Generally DDoS traffics are detected by IP based security technologies like ( source IP, source port, destinationIP, destination port and protocol.

• But SIP based application is also needed like URI (Uniform Resource Identifier)

SIP aware DDoS attack patterns

• Section A: Destination IP address is fixed to IP address of a SIP server

• Section B: Source IP address and destination IP address are fixed to IP addresses of SIP proxy servers.

• Section C: Source IP address is fixed to IP address of SIP proxy server.

Figure 1. SIP Traffic Transmission Section Classification

• Section A: Multiple source IP addresses but identical From, To and Call-ID.

• It is easy to determine an attack because different source IP addresses are not allowed to have same From address.

• Section B, Section C: Identical method, From, To, and Call-ID. SIP packets transmitted above their thresholds could be classified as DDoS attacks.

SIP DDoS 1 attack to user terminal

Figure 3. SIP DDoS 2 Attack to user terminal

• The figure shows multiple callers transmit massive packets to a callee .

• In this case, it is hard to detect inconsistency by logical packet analysis on all section A, B, and C.

• Section A, B, C: When SIP packets with different From addresses having identical Call-ID and SIP packets with identical method, To, and Call-ID transmitted above their threshold it could be classified as a DDoS attack.

Figure 4. SIP DDoS Attack to Proxy Server

• Multiple callers attack SIP servers with massive To URI modified SIP packets. Due to multiple To URIs DDoS attack detection is difficult.

Design of SIP-aware DDoS Attack Detection System

• Net Flow Collection and Sensor Connection Management Module: Collect information from SIP application traffic gathering sensors located multiple locations and decode information before storing them on sharing memory.

• SIP Traffic Detection Module: Using SIP application traffics stored on shared memory detect anomaly.

• Alert & Log Module: Record alarms and keep the logs for abnormal traffics.

• User Interface: Provide functionalities of reviewing SIP-based flow and statistics, inquiring Logs, and modifying system configuration.

• System Management Module: Manage system state and sensor list.

• Interoperability Module: Generate information needed for interoperability with SIP security management system.

Figure 5. Block diagram of SIP-aware DDoS Attack Detection System

• Pre-processor Module: Pre-process information needed for detection and integration SIP-based flows.

• SIP-aware DDoS Attack Detection Module

• Traffic Statistic management Module: Calculate SIP application traffic statistics and knowledge-based detection threshold for normal behavior statistics profiling.

• Threshold DB Module: SIP DDoS attack detection threshold stored database.

Figure 6. Anomaly-based SIP traffic monitoring module

• The first subnet represents the domain of SIP service providers. On this subnet, there are SIP-aware DDoS Attack Detection System, SIP proxy server, session border controller.

• The second subnet represents the domain of attackers.

• On this subnet, there are SIP attack tools and SIP flooding traffic generators.

• The third subnet represents the domain of victims.

• In the victim domain, there are VoIP hard phones and soft phones.

• The fourth subnet represents the domain of legitimate subscribers. To simulate legitimate calls among users, a SIP call generator is used.

Test Environment for SIP-aware DDoS Attack Detection System

Test ResultsTest conditions Test Results

CASE Packet Size(Byte) PPS Bandwidth (Mbps)

IPS Suggested system

Invite Flooding

1044 100 0.8 X 01044 1000 8 X 01044 2000 16 0 01044 10000 80 0 0

-> SIP-aware DDoS Attack Detection System detects Invite Flooding at 0.8Mbps while IPS could not detect untill it reaches overall bandwidth threshold ( ≥16Mbps.) IPS attack detection does not reflect SIP protocol characteristics.

Thank you