design and implementation of sip-aware ddos attack detection system
TRANSCRIPT
![Page 1: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/1.jpg)
Design and Implementation of SIP-awareDDoS Attack Detection System
![Page 2: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/2.jpg)
Introduction:
• SIP is a signaling protocol that controls session establishment, modification, and termination of multimedia services.
• Since SIP based application service are provided by IP network, it should not only exposed to security vulnerabilities of IP but also it should also secure the Sip vulnerabilities.
![Page 3: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/3.jpg)
• This paper explains how SIP should be prevented from DDoS (Distributed Denial of service) attack detection system.
• Contents of this paper are:
Characteristics of SIP, DDoS attack patterns.
Considerations and design issues of SIP-aware DDoS attack detection.
Currently implemented systems.
![Page 4: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/4.jpg)
Characteristics of SIP
• Generally DDoS traffics are detected by IP based security technologies like ( source IP, source port, destinationIP, destination port and protocol.
• But SIP based application is also needed like URI (Uniform Resource Identifier)
![Page 5: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/5.jpg)
SIP aware DDoS attack patterns
• Section A: Destination IP address is fixed to IP address of a SIP server
• Section B: Source IP address and destination IP address are fixed to IP addresses of SIP proxy servers.
• Section C: Source IP address is fixed to IP address of SIP proxy server.
Figure 1. SIP Traffic Transmission Section Classification
![Page 6: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/6.jpg)
• Section A: Multiple source IP addresses but identical From, To and Call-ID.
• It is easy to determine an attack because different source IP addresses are not allowed to have same From address.
• Section B, Section C: Identical method, From, To, and Call-ID. SIP packets transmitted above their thresholds could be classified as DDoS attacks.
SIP DDoS 1 attack to user terminal
![Page 7: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/7.jpg)
Figure 3. SIP DDoS 2 Attack to user terminal
• The figure shows multiple callers transmit massive packets to a callee .
• In this case, it is hard to detect inconsistency by logical packet analysis on all section A, B, and C.
• Section A, B, C: When SIP packets with different From addresses having identical Call-ID and SIP packets with identical method, To, and Call-ID transmitted above their threshold it could be classified as a DDoS attack.
![Page 8: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/8.jpg)
Figure 4. SIP DDoS Attack to Proxy Server
• Multiple callers attack SIP servers with massive To URI modified SIP packets. Due to multiple To URIs DDoS attack detection is difficult.
![Page 9: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/9.jpg)
Design of SIP-aware DDoS Attack Detection System
• Net Flow Collection and Sensor Connection Management Module: Collect information from SIP application traffic gathering sensors located multiple locations and decode information before storing them on sharing memory.
• SIP Traffic Detection Module: Using SIP application traffics stored on shared memory detect anomaly.
• Alert & Log Module: Record alarms and keep the logs for abnormal traffics.
• User Interface: Provide functionalities of reviewing SIP-based flow and statistics, inquiring Logs, and modifying system configuration.
• System Management Module: Manage system state and sensor list.
• Interoperability Module: Generate information needed for interoperability with SIP security management system.
Figure 5. Block diagram of SIP-aware DDoS Attack Detection System
![Page 10: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/10.jpg)
• Pre-processor Module: Pre-process information needed for detection and integration SIP-based flows.
• SIP-aware DDoS Attack Detection Module
• Traffic Statistic management Module: Calculate SIP application traffic statistics and knowledge-based detection threshold for normal behavior statistics profiling.
• Threshold DB Module: SIP DDoS attack detection threshold stored database.
Figure 6. Anomaly-based SIP traffic monitoring module
![Page 11: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/11.jpg)
• The first subnet represents the domain of SIP service providers. On this subnet, there are SIP-aware DDoS Attack Detection System, SIP proxy server, session border controller.
• The second subnet represents the domain of attackers.
• On this subnet, there are SIP attack tools and SIP flooding traffic generators.
• The third subnet represents the domain of victims.
• In the victim domain, there are VoIP hard phones and soft phones.
• The fourth subnet represents the domain of legitimate subscribers. To simulate legitimate calls among users, a SIP call generator is used.
Test Environment for SIP-aware DDoS Attack Detection System
![Page 12: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/12.jpg)
Test ResultsTest conditions Test Results
CASE Packet Size(Byte) PPS Bandwidth (Mbps)
IPS Suggested system
Invite Flooding
1044 100 0.8 X 01044 1000 8 X 01044 2000 16 0 01044 10000 80 0 0
-> SIP-aware DDoS Attack Detection System detects Invite Flooding at 0.8Mbps while IPS could not detect untill it reaches overall bandwidth threshold ( ≥16Mbps.) IPS attack detection does not reflect SIP protocol characteristics.
![Page 13: Design and Implementation of SIP-aware DDoS Attack Detection System](https://reader036.vdocuments.mx/reader036/viewer/2022082517/56649d9d5503460f94a85f9f/html5/thumbnails/13.jpg)
Thank you