Advances in Information Sciences and Service Sciences Volume 2, Number 4, December 2010
Design and Implementation of SIP-aware DDoS Attack Detection System 1
Do-Yoon Ha, 2Chang-Yong Lee, 3Hyun-Cheol Jeong, 4Bong-Nam Noh 1, Korea Information Security Agency,
[email protected] 2, Korea Information Security Agency,
[email protected] 3 Korea Information Security Agency,
[email protected] 4 Chonnam National Universty,
[email protected] doi:10.4156/aiss.vol2. issue4.3
Abstract SIP is a signaling protocol used for establishing, modifying, terminating sessions in multimedia services such as VoIP, instant messaging, and video conferencing. Existing IP network security solutions can not detect new SIP specified network threats because they can not reflect characteristics of SIP. In this paper, we propose SIP-aware DDoS Attack Detection System that can monitor SIP signaling flow and detect SIP-aware DDoS attack. The proposed system collects attributes of SIP traffic, and executes anlaysing and detecting based on statistic and behavior.
Keywords: Session Initiation Protocol, IP Telephony Security, DDoS 1. Introduction SIP (Session Initiation Protocol) is a signaling protocol that controls session establishment, modification, and termination of multimedia services [1]. Voice of IP (VoIP), Internet conference, and messenger are good examples of SIP-based services [2]. SIP will become a major session control protocol of Internet-based multimedia services in the near future. Unfortunately, however, SIP-based application services using IP network are not only exposed to the security vulnerabilities inherited from IP but also exposed to new security vulnerabilities inherited from SIP. SIP-based application services are provided by IP-based routing, URI (Uniform Resource Identifier), and SIP proxy server. Hence, effectively detecting and responding to attacks solely relying on existing IP-based analysis, security technology and devices are not easy. This paper states SIP-aware DDoS Attack Detection System from traffic point of view. This paper consist as follow: On chapter 2 characteristics of SIP protocol, related works, and SIP DDos Attack Patterns are introduced. On chapter 3 considerations and design issues of SIP-aware DDoS Attack Detection System are described. On chapter 4 currently implemented system is introduced. On chapter 5 conclusion and future work will be presented.
2. Related Works 2.1. Characteristics of SIP Protocol IP-based security technologies detect DDoS traffics by analyzing 5-tuple (source IP, source port, destination IP, destination port, and protocol) of IP traffics. But, to provide services to SIP-based applications a URI is also needed. Unfortunately, however, current security technologies do not properly recognize URI (Uniform Resource Identifier) used by SIP-based application services. Hence, there are great limitations for SIP traffic analysis and to SIP -based DDoS traffic detection.
2.2. Related Works Geneiatakis proposed a system structure that detects malformed SIP message attacks [3]. Wu proposed SCIDIVE, a VoIP attack detection system, which capable of detecting stateful SIP attack (e.g. SIP-BYE) detection system [4]. Kang proposed a profiling technology that analyzes VOIP traffic
- 25 -
Design and Implementation of SIP-aware DDoS Attack Detection System Do-Yoon Ha, Chang-Yong Lee, Hyun-Cheol Jeong, Bong-Nam Noh
characteristics such as an average registration period, a ratio of caller and callee, and etc [5]. Currently various researches of SIP-based VoIP security are in progress.
2.3. SIP-aware DDoS Attack Patterns Categorize SIP-aware Distributed Denial of Service (DDoS) attack patterns detectable on SIP-based application service environment and analyze the characteristics of each attack. SIP is an application layer protocol. For pattern analysis IP layer information as well as application layer information, URI, should count into consideration. A Call-ID, a session identifier, should count into consideration as well. SIP-aware DDoS attack patterns could be categorized many different ways based on various criteria. However, this paper categorizes attack patterns based upon a target of the attack and the way of attack, whether it is distributed attack or not.
Figure 1. SIP Traffic Transmission Section Classification In general, SIP signal generated by a caller is transmitted to a callee via proxy server as shown on the figure. A path from a caller to a callee could be divided into 3 sections: a section from a caller to a server, a section between servers, and a section from a server to a callee. Let’s call them section A, B, and C respectively for the convenience. The SIP traffic on each section has following characteristics. Section A: Destination IP address is fixed to IP address of a SIP server Section B: Source IP address and destination IP address are fixed to IP addresses of SIP proxy servers. Section C: Source IP address is fixed to IP address of SIP proxy server. Due to these characteristics SIP signals collected from different sections may appear differently although they belong to same users and SIP DoS attack patterns collected from different sections may appear differently as well. SIP DDoS attack to user terminal
Figure 2. SIP DDoS 1 attack to user terminal
- 26 -
Advances in Information Sciences and Service Sciences Volume 2, Number 4, December 2010
The figure above shows a general DDoS attack pattern. Multiple callers attack to a callee using replicated SIP packet. It is difficult to detect SIP DDoS attack on section B and section C as it is shown above. Section A: Multiple source IP addresses but identical From, To, method and Call-ID. It is easy to determine an attack because different source IP addresses are not allowed to have same From address. Section B, Section C: Identical method, From, To, and Call-ID. SIP packets transmitted above their thresholds could be classified as DDoS attacks.
Figure 3. SIP DDoS 2 Attack to user terminal The figure shows multiple callers transmit massive packets to a callee. In this case, it is hard to detect inconsistency by logical packet analysis on all section A, B, and C. Section A, B, C: When SIP packets with different From addresses having identical Call-ID and SIP packets with identical method, To, and Call-ID transmitted above their threshold it could be classified as a DDoS attack.
Figure 4. SIP DDoS Attack to Proxy Server Multiple callers attack SIP servers with massive To URI modified SIP packets. Due to multiple To URIs DDoS attack detection is difficult. Section A: An attack could be detected due to the fact that different source IP addresses are not allowed to have an identical From address. If SIP packets are transmitted from different source IP addresses with an identical From address above their threshold it could be considered as a DoS attack. Section B: If SIP packets of identical method, From, and Call-ID are transmitted above their threshold it could be considered as a DoS attack.
- 27 -
Design and Implementation of SIP-aware DDoS Attack Detection System Do-Yoon Ha, Chang-Yong Lee, Hyun-Cheol Jeong, Bong-Nam Noh
Most of DoS attack attempts could be detected by traffic analysis of section A as noticed from characteristics per sections described above. The Table shown below displays the characteristics of SIP DoS attack traffic patterns on section A. Table 1. Characteristics of SIP DoS attack traffic patterns Attack Pattern Src IP SIP DDoS 1 to user terminal
many
Dst IP
Method From To Call-ID
Proxy/UA identical
One identical one
SIP DDoS to proxy many server SIP DDoS 2 to user terminal
many
Proxy
identical
Proxy
identical
Many
one
identical
identical
many SIP DDoS to proxy server
one
Proxy
identical
many identical
3. Design of SIP-aware DDoS Attack Detection System 3.1. Considerations and design issues of SIP -aware DDoS Attack Detection System SIP traffic related information gathering feature: Collect all packets from network while they remain intact and classify SIP and RTP packets form other IP packets. Gather SIP specific information such as caller information, callee information, RTP QoS and etc. Generate statistics of traffics and flows per session. SIP traffic analysis feature: Analyze traffics per SIP-aware application service properties. Detect anomaly of SIP traffics using analysis result and collected flow statistics. SIP traffic management feature: GUI (Graphic User Interface) screens are provide to an administrator which display current traffic monitoring information, abnormal traffic detection information and system environment configuration.
3.2. Block diagram of SIP-aware DDoS Attack Detection System
Figure 5. Block diagram of SIP-aware DDoS Attack Detection System SIP-aware DDoS Attack Detection System consists of following modules:
- 28 -
Advances in Information Sciences and Service Sciences Volume 2, Number 4, December 2010
NetFlow Collection and Sensor Connection Management Module: Collect information from SIP application traffic gathering sensors located multiple locations and decode information before storing them on sharing memory. Anomaly-based SIP Traffic Detection Module: Using SIP application traffics stored on shared memory detect anomaly. Alert & Log Module: Record alarms and keep the logs for abnormal traffics. User Interface: Provide functionalities of reviewing SIP-based flow and statistics, inquiring Logs, and modifying system configuration. System Management Module: Manage system state and sensor list. Interoperability Module: Generate information needed for interoperability with SIP security management system.
Interface among major modules Input: NetFlow v9 Format SIP application traffic statistics. (UDP socket) 1: Decoded and structured SIP NetFlow data. (Linux Shared Memory) 2: Normal SIP NetFlow data. (MySQL DBMS) 3: Suspicious SIP NetFlow data and anomaly detection data. (Linux Message queue) 4: Log for detection time, attacker, victim, attack pattern, and etc. (MySQL DBMS) Output: Interoperability information with SIP security management system. (TCP socket)
Figure 6. Anomaly-based SIP traffic monitoring module SIP-aware DDoS Attack Detection System consist of following modules. Pre-processor Module: Pre-process information needed for detection and integration SIPbased flows which divided into sessions that must be integrated into one. SIP-aware DDoS Attack Detection Module: Detect SIP DDoS Attack. Traffic Statistic management Module: Calculate SIP application traffic statistics and knowledge-based detection threshold for normal behavior statistics profiling. Threshold DB Module: SIP DDoS attack detection threshold stored database.
3.3. Subjects Analyzed for SIP-aware DDoS Attack Detection System The subjects reviewed by this paper for SIP application traffic analysis could be categorized into three groups: user behavior, call behavior, and server/network status.
- 29 -
Design and Implementation of SIP-aware DDoS Attack Detection System Do-Yoon Ha, Chang-Yong Lee, Hyun-Cheol Jeong, Bong-Nam Noh
Table 2. Subjects Analyzed for SIP-aware DDoS Attack Detection Category
Subjects
User behavior Analysis
• From/ To/ Call-ID Ratio Analysis • Top N traffic User Analysis • REGISTER Message Transmit Period
• Call-ID/SSRC Ratio Analysis • Req/Res Ratio Analysis Call Behavior Analysis • Method per Transmission Rate Analysis • IP/URI Ratio Analysis within REGISTER Message • RTP Seq. No Randomness per SSRC Server/network Status Analysis
• SIP/RTP Traffic Volume Transition Analysis • Status code Ration Analysis per server • QoS Change Analysis
By analysis of subjects listed above the attributes of abnormal SIP traffics, which distinguished from normal call, could be defined. Appropriate threshold derived from analysis could be utilized for SIP DDoS attack traffic detection. Detection algorithm basically follows processes below
Classification per criterion: SIP based flows transmitted from each sensor are classified based on predefined criterion. All SIP based flows with same destination IP are grouped together. Anomaly detection: Anomaly detection is executed on predefined time interval (default: 1 minute) and detects SIP flow group deviated from normal threshold. Detected anomaly is reported to the anomaly pattern analysis stage.
Calculate inbound bps per group (bps = sum(IN_Bytes)/(Last_switched - First_switched) - Calculate ratio per method - Calculate status code ratio - Calculate number of source IP(s) (distinct(source IP)) - Calculate From, To ratio(From Ratio = distinct(From) / (distinct(From)+distinct(To)) - Choose threshold (Apply server threshold if dst IP = server , apply terminal threshold if dst IP = terminal ) - Detect any group deviates from normal threshold - Detection result attached. Normal traffics are stored on normal traffic DB table. Anomaly pattern analysis: Perform per session pattern analysis to suspicious SIP flow groups and finally determine whether it is abnormal pattern or not. - Classify patterns based on Call-ID, From, and To - Update per session parameters (sum or ave) - Evaluate anomaly of sessions - Determine anomaly with information consolidated with previous information - Store normal session to normal DB and store abnormal session to abnormal DB - Record alarm and log
4. Design Implementation of SIP-aware DDoS Attack Detection System 4.1. Test Environment Test environment for SIP-aware DDoS Attack Detection System is composed of four subnets.
- 30 -
Advances in Information Sciences and Service Sciences Volume 2, Number 4, December 2010
Figure 7. Test Environment for SIP-aware DDoS Attack Detection System The first subnet represents the domain of SIP service providers. On this subnet, there are SIP-aware DDoS Attack Detection System, SIP proxy server, session border controller. The second subnet represents the domain of attackers. On this subnet, there are SIP attack tools and SIP flooding traffic generators. The third subnet represents the domain of victims. In the victim domain, there are VoIP hard phones and soft phones. The fourth subnet represents the domain of legitimate subscribers. To simulate legitimate calls among users, a SIP call generator is used.
4.2. Test Result Normal user terminal spoofed attackers transmit 1,044- byte Invite Flooding packets. Gradually increase Invite Flooding traffic to 1000pps, 2000pps, and so on to consume available bandwidths. Detection capability comparison of IP-based IPS(Intrusion Prevention System) and SIP-aware DDoS Attack Detection System is summarized table below. Table 3. Test Results Test Conditions CASE
Invite Flooding
Packet Size (Byte) 1,044 1,044 1,044 1,044
PPS 100 1,000 2,000 10,000
Band width (Mbps) 0.8 8 16 80
Test Results IPS
suggested system
X X O O
O O O O
SIP-aware DDoS Attack Detection System detects Invite Flooding at 0.8Mbps while IPS could not detect untill it reaches overall bandwidth threshold ( ≥16Mbps.) IPS attack detection does not reflect SIP protocol characteristics.
- 31 -
Design and Implementation of SIP-aware DDoS Attack Detection System Do-Yoon Ha, Chang-Yong Lee, Hyun-Cheol Jeong, Bong-Nam Noh
5. Conclusion and future work Considerations and design issues related to SIP-aware DDoS Attack Detection System have been reviewed. Proposed SIP-aware DDoS Attack Detection System is capable of collecting, analyzing, and managing SIP traffics. With presented SIP DDoS analysis items user behavior analysis, abnormal call generation, and network status monitoring are also feasible. Hereafter, a research of knowledge-based threshold deduction will be progressed further to increase accuracy of threshold used for SIP DDoS attack detection.
6. Acknowledgement This work was supported by the IT R&D program of MKE/KEIT. [KI001850, The Development of SIP-Aware Intrusion Prevention Technique for protecting SIP-base Application Services]
7. References [1] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley and E. Schooler, “ SIP: Session Initiation Protocol” , RFC 3261, June 2002. [2] H. Schulzrinne, S. Casner, R. Frederick and V. Jacobsonm, "RTP: A Transport Protocol for RealTime Applications", RFC 1889, January, 1996 [3] D. Geneiatakis, G. Kambourakis, T. Dagiuklas, C. Lambrinoudakis and S. Gritzalis, "A Framework for Detecting Malformed Messages in SIP Networks", the 14th IEEE Workshop on Local and Metropolitan Area Networks LANMAN), Greece, September 2005 [4] Y. Wu, S. Bagchi, S. Garg, N. Singh and T. Tsai, SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments” , 2004 International Conference on Dependable Systems and Networks (DSN'04), Florence, Italy, 2004 [5] H. Kang, Z. Zhang, S. Ranjan and A. Nucci, “ SIP-based VoIP Traffic Behavior Profiling and its Application” , MineNet’ 07, San Diego, USA, June 2007.
- 32 -
