Leveraging the SIP load balancer to detect and mitigate DDos attacks

Abstract

SIP-based Voice Over IP(VoIP) network is becoming predominant in current and future communications. Distributed Denial of service attacks pose a serious threat to VOIP network security. SIP servers are victims of DDos attacks. The major aim of the DDos attacks is to avoid legitimate users to access resources of SIP servers. Distributed Denial of service attacks target the VOIP network by deploying bots at different locations by injecting malformed packets and even they halt the entire VOIP service causes degradation of QoS(Quality of Service). DDos attacks are easy to launch and quickly drain computational resources of VOIP network and nodes. Detecting DDos attacks is a challenging and extremely difficult due to its varying strategy and scope of attackers. Many DDos detection and prevention schemes are deployed in VOIP networks but they are not complete working in both realtime and offline modes. They are inefficient in detecting dynamic and low-rate DDos attacks and even fail when the attack is launched by simultaneously manipulating multiple SIP attributes. In this paper we propose a novel scheme based on Hellinger distance(HD) to detect low-rate and multi-attribute DDos attacks. Usually DDos detection and mitigations schemes are implemented in SIP proxy. But we leverage the SIP load balancer to fight against DDos by using existing load balancing features. We have implemented the proposed scheme by modifying leading open source kamailio SIP proxy server. We have evaluated our scheme by experimental test setup and found results are outperforming the existing DDos prevention schemes in terms of detection rate, system overhead and false-positive alarms.