SIP Flooding Attack Detection with a Multi-Dimensional Sketch Design

Abstract

The session initiation protocol (SIP) is widely used for controlling multimedia communication sessions over the Internet Protocol (IP). Effectively detecting a flooding attack to the SIP proxy server is critical to ensure robust multimedia communications over the Internet. The existing flooding detection schemes are inefficient in detecting low-rate flooding from dynamic background traffic, or may even totally fail when flooding is launched in a multi-attribute manner by simultaneously manipulating different types of SIP messages. In this paper, we develop an online detection scheme for SIP flooding attacks, by integrating a novel three-dimensional sketch design with the Hellinger distance (HD) detection technique. In our sketch design, each SIP attribute is associated with a two-dimensional sketch hash table, which summarizes the incoming SIP messages into a probability distribution over the sketch table. The evolution of the probability distribution can then be monitored through HD analysis for flooding attack detection. Our three-dimensional design offers the benefit of high detection accuracy even for low-rate flooding, robust performance under multi-attribute flooding, and the capability of selectively discarding the offending SIP messages to prevent the attacks from bringing damages to the network. Furthermore, we design a scheme to control the distribution of the normal traffic over the sketch. Such a design ensures our detection scheme’s effectiveness even under the severe distributed denial of service (DDoS) scenario, where attackers can flood over all the sketch table entries. In this paper, we not only theoretically analyze the performance of the proposed detection techniques, but also resort to extensive computer simulations to thoroughly examine the performance.