research-article

Denial of service attack and prevention on SIP VoIP infrastructures using DNS flooding

Authors:

Thomas Magedanz,

Dorgham SisalemAuthors Info & Claims

IPTComm '07: Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications

Pages 57 - 66

https://doi.org/10.1145/1326304.1326314

Published: 19 July 2007 Publication History

Abstract

A simple yet effective Denial of Service (DoS) attack on SIP servers is to flood the server with requests addressed at irresolvable domain names. In this paper we evaluate different possibilities to mitigate these effects and show that over-provisioning is not sufficient to handle such attacks. As a more effective approach we present a solution called the DNS Attack Detection and Prevention (DADP) scheme based on the usage of a non-blocking DNS cache. Based on various measurement conducted over the Internet we investigate the efficiency of the DADP scheme and compare its performance with different caching strategies applied.

References

[1]

J. Mirkovic, S. Dietrich, D. Dittrich, and P. Reiher, "Internet Denial of Service: Attack and Defense Mechanisms", Prentice Hall, USA, 2004.

Digital Library

[2]

L. Gordon et al., "CSI/FBI Computer Crime and Security Survey", Computer Security Inst., 2004.

[3]

F. Cao and S. Malik, "Security Analysis and Solutions for Deploying IP Telephony in the Critical Infrastructure", Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks, 2005.

[4]

D. Sisalem, J. Kuthan and S. Ehlert, "Denial of Service Attacks Targeting a SIP VoIP Infrastructure: Attack Scenarios and Prevention Mechanisms", IEEE Network Vol. 20, No. 5 - Special Issue on Securing VoIP, Sep. 2006.

Digital Library

[5]

D. R. Kuhn, T. J. Walsh and S. Fries, "Security Considerations for Voice over IP Systems", Recommendations of the National Institute of Standards and Technology, January 2005.

[6]

A. Johnston, D. Piscitello, "Understanding VoIP Security", Artech House.

[7]

D. Geneiatakis, G. Kambourakis, T. Dagiuklas, C. Lambrinoudakis and S. Gritzalis, "A Framework for Detecting Malformed Messages in SIP Networks", 14th IEEE Workshop on Local and Metropolitan Area Networks (LANMAN 2005), 2005.

[8]

Eric Y. Chen, "Detecting DoS Attacks on SIP System", 1st IEEE Workshop on VoIP Management and Security, 2006, April 2006.

[9]

H. Sengar, D. Wijesekera, H. Wang and S. Jajodia, "Fast Detection of Denial of Service Attacks on IP Telephone", Proceedings of IEEE IWQoS'2006, New Haven, CT, June 2006.

[10]

M. Nassar, R. State, O. Festor, "Intrusion Detection Mechanisms for VoIP Applications", 3^rd Annual VoIP Security Workshop, Jun 2006, Berlin, Germany.

[11]

CERT, "Denial of Service Attacks using Nameservers", 2000. http://www.cert.org/incident_notes/IN-2000-04.html.

[12]

F. Guo, J. Chen, T. Chiueh, "Spoof Detection for Preventing DoS Attacks against DNS servers", 26^th IEEE International Conference on Distributed Computing Systems, 2006

Digital Library

[13]

J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, R. Spark, M. Handley, E. Schooler, "RFC 3261: SIP--Session Initiation Protocol", 2002.

Digital Library

[14]

R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee, "RFC 2616: Hypertext Transfer Protocol--HTTP/1.1", 1999.

Digital Library

[15]

G. Camarillo, M.-A. García-Martín "The 3GIP Multimedia Subsystem (IMS): Merging the Internet and the Cellular Worlds", John Wiley & Sons, 2006.

Digital Library

[16]

P. V. Mockapetris, "RFC 1034: Domain Names--Concepts and Facilities," Nov. 1987.

Digital Library

[17]

P. V. Mockapetris, "RFC 1035: Domain Names--Implementation and Specification," Nov. 1987.

Digital Library

[18]

J. Rosenberg, H. Schulzrinne, "RFC 3063: SIP--Locating SIP Servers", June 2002.

[19]

J. Peterson, H. Liu, J. Yu and B. Campbell, "RFC 3824: Using E.164 Numbers with the Session Initiation Protocol (SIP)", 2004.

[20]

A. Gulbrandsen, P. Vixie and L. Esibov, "RFC 2782: A DNS RR for Specifying the Location of Services (DNS SRV)", Feb 2000.

Digital Library

[21]

J. Jung, E. Sit, H. Balakrishnan and R. Morris, "DNS Performance and the Effectiveness of Caching", IEEE/ACM Transactions on Networking (TON), Jan. 2002.

Digital Library

[22]

V. Pappas, Z. Xu, S. Lu, D. Massey, A. Terzis and L. Zhang, "Impact of Configuration Errors on DNS Robustness", SIGCOMM'04 Workshop, Sep. 2004, Portland, Oregon, USA.

Digital Library

[23]

Berkeley Internet Name Domain (BIND), Open source DNS server, http://www.isc.org.

[24]

SIP Express Router, Open source SIP proxy, http://www.iptel.org/ser.

[25]

SIPp, SIP traffic generator, http://sipp.sourceforge.net.

[26]

A. Hussain, J. Heidemann and C. Papadopoulos, "A Framework for Classifying Denial of Service Attacks", Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, 2003

Digital Library

[27]

D. Sisalem, S. Ehlert et al. "General Reliability and Security Framework for VoIP Infrastructures" Technical Report SNOCER-D2.2, Sep 2005, www.snocer.org.

[28]

A. Silberschatz and P. B. Galvin, Operating Systems Concepts, fourth ed. Reading, Addison-Wesley, 1994.

Digital Library

[29]

C. Aggarwal, J. Wolf, and P. Yu, "Caching on the World Wide Web", IEEE Transactions on Knowledge and Data Engineering, Vol. 11, No. 1, Jan 1999.

Digital Library

[30]

U. Chejaral, H.-K. Chail, and H. Chol, "Performance Comparison of Different Cache-Replacement Policies for Video Distribution in CDN", 7th IEEE International Conference on High Speed Networks and Multimedia Communications, Toulouse, France, 2004.

[31]

Tom Olzak, "DNS cache poisoning", Whitepaper, http://www.infosecwriters.com/text_resources/pdf/DNS_Tolzak.pdf.

Cited By

Tsiatsikas ZKambourakis GGeneiatakis DWang H(2019)The Devil is in the Detail: SDP-Driven Malformed Message Attacks and Mitigation in SIP EcosystemsIEEE Access10.1109/ACCESS.2018.28863567(2401-2417)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2018.2886356
Armoogum SMohamudally N(2014)Survey of practical security frameworks for defending SIP based VoIP systems against DoS/DDoS attacks2014 IST-Africa Conference Proceedings10.1109/ISTAFRICA.2014.6880664(1-11)Online publication date: May-2014
https://doi.org/10.1109/ISTAFRICA.2014.6880664
Hussain IDjahel SGeneiatakis DNait-Abdesselam F(2013)A lightweight countermeasure to cope with flooding attacks against session initiation protocol6th Joint IFIP Wireless and Mobile Networking Conference (WMNC)10.1109/WMNC.2013.6549057(1-5)Online publication date: Apr-2013
https://doi.org/10.1109/WMNC.2013.6549057
Show More Cited By

Recommendations

A comprehensive study of flooding attack consequences and countermeasures in Session Initiation Protocol SIP

Session Initiation Protocol SIP is widely used as a signaling protocol to support voice and video communication in addition to other multimedia applications. However, it is vulnerable to several types of attacks because of its open nature and lack of a ...
Counteract DNS Attacks on SIP Proxies Using Bloom Filters
ARES '13: Proceedings of the 2013 International Conference on Availability, Reliability and Security

SIP proxies play an important part in VoIP services. A Denial of Service (DoS) attack on them may cause the failure of the whole network. We investigate such a DoS attack by exploiting DNS queries. A SIP proxy needs to resolve domain names for ...
Two layer Denial of Service prevention on SIP VoIP infrastructures

The emergence of Voice over IP (VoIP) has offered numerous advantages for end users and providers alike, but simultaneously has introduced security threats, vulnerabilities and attacks not previously encountered in networks with a closed architecture ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IPTComm '07: Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications

July 2007

107 pages

ISBN:9781605580067

DOI:10.1145/1326304

Conference Chairs:
Gregory W. Bond
AT&T Labs Research
,
Henning Schulzrinne
Columbia University

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

AT&T: AT&T
SIGCOMM: ACM Special Interest Group on Data Communication
ACM: Association for Computing Machinery
Tekelec
Dialogic
Mu Security

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 July 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IPTComm07

Sponsor:

IPTComm07: IPTComm07 Principles, Systems and Applications of IP Telecommunications

July 19 - 20, 2007

New York, New York City

Acceptance Rates

Overall Acceptance Rate 18 of 62 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
958
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)3

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Tsiatsikas ZKambourakis GGeneiatakis DWang H(2019)The Devil is in the Detail: SDP-Driven Malformed Message Attacks and Mitigation in SIP EcosystemsIEEE Access10.1109/ACCESS.2018.28863567(2401-2417)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2018.2886356
Armoogum SMohamudally N(2014)Survey of practical security frameworks for defending SIP based VoIP systems against DoS/DDoS attacks2014 IST-Africa Conference Proceedings10.1109/ISTAFRICA.2014.6880664(1-11)Online publication date: May-2014
https://doi.org/10.1109/ISTAFRICA.2014.6880664
Hussain IDjahel SGeneiatakis DNait-Abdesselam F(2013)A lightweight countermeasure to cope with flooding attacks against session initiation protocol6th Joint IFIP Wireless and Mobile Networking Conference (WMNC)10.1109/WMNC.2013.6549057(1-5)Online publication date: Apr-2013
https://doi.org/10.1109/WMNC.2013.6549057
Zhang GFischer-Hübner S(2013)Counteract DNS Attacks on SIP Proxies Using Bloom FiltersProceedings of the 2013 International Conference on Availability, Reliability and Security10.1109/ARES.2013.89(678-684)Online publication date: 2-Sep-2013
https://dl.acm.org/doi/10.1109/ARES.2013.89
Jung TMartin SNassar MErnst DLeduc G(2013)Outbound SPIT filter with optimal performance guaranteesComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2013.02.01357:7(1630-1643)Online publication date: 1-May-2013
https://dl.acm.org/doi/10.1016/j.comnet.2013.02.013
Barrère MBadonnel RFestor OMedhi D(2012)Collaborative remediation of configuration vulnerabilities in autonomic networks and systemsProceedings of the 8th International Conference on Network and Service Management10.5555/2499406.2499463(357-363)Online publication date: 22-Oct-2012
https://dl.acm.org/doi/10.5555/2499406.2499463
Keromytis A(2012)A Comprehensive Survey of Voice over IP Security ResearchIEEE Communications Surveys & Tutorials10.1109/SURV.2011.031611.0011214:2(514-537)Online publication date: Oct-2013
https://doi.org/10.1109/SURV.2011.031611.00112
Barrere MBadonnel RFestor O(2012)Towards the assessment of distributed vulnerabilities in autonomic networks and systems2012 IEEE Network Operations and Management Symposium10.1109/NOMS.2012.6211916(335-342)Online publication date: Apr-2012
https://doi.org/10.1109/NOMS.2012.6211916
Stanek JKencl L(2012)SIP Protector: Defense architecture mitigating DDoS flood attacks against SIP servers2012 IEEE International Conference on Communications (ICC)10.1109/ICC.2012.6364674(6733-6738)Online publication date: Jun-2012
https://doi.org/10.1109/ICC.2012.6364674
Hentehzadeh NMehta AGurbani VGupta LTin Kam Ho Wilathgamuwa G(2011)Statistical Analysis of Self-Similar Session Initiation Protocol (SIP) Messages for Anomaly Detection2011 4th IFIP International Conference on New Technologies, Mobility and Security10.1109/NTMS.2011.5720662(1-5)Online publication date: Feb-2011
https://doi.org/10.1109/NTMS.2011.5720662
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten