A lightweight countermeasure to cope with flooding attacks against session initiation protocol

Abstract

Session Initiation Protocol (SIP) is a widely used protocol for voice and video communication in Internet architecture. Due to its open nature and the lack of robust security mechanisms, SIP is vulnerable to several attacks similar to those existing in Internet infrastructure, such as the flooding attack. An attacker can use any SIP request to launch a flooding attack, leading to severe consequences at either client or server side SIP elements or both of them. In this context, end user's devices are considered more vulnerable to flooding attacks due to their limited capabilities. In this paper, we focus on INVITE flooding attack for which we propose a simple and robust detection scheme. This scheme prevents an attacker from launching an INVITE flood through a transition state table used by the proxy to analyse the incoming INVITE requests and exclude the suspicious ones. Our scheme requires also that the end-user keeps track of the time and IP addresses of each incoming request. Furthermore, we modify the header of the REGISTER request by adding a new field named Critical number which holds the value of maximum number of users or callers that could easily be handled by the end user. Unlike the existing solutions, our scheme does not require any special detection device or firewall at the SIP server. The proposed mechanism has been implemented in SIP Express Router (SER) and the obtained results have confirmed its effectiveness.