Study on Auto Detecting Defence Mechanisms against Application Layer Ddos Attacks in SIP Server

Abstract

Denial of Service (DoS) or Distributed Denial of Service (DDoS) is a powerful attack which prevents the system from providing services to its legitimate users. Several approaches exist to filter network-level attacks, but application-level attacks are harder to detect at the firewall. Filtering at application level can be computationally expensive and difficult to scale, while still creating bogus positives that block legitimate users. In this paper, authors show application layer DoS attack for SIP server using some open source DoS attack tools and also suggest a mechanism that can protect a given SIP server from application-level DoS attacks especially the attacks targeting the resources including CPU, sockets, memory of the victim server. In this paper author’s attempt to illustrate application layer distributed denial of Service (DDoS) attack on SIP Server such as SIP flooding attack, real time transport (RTP) flooding attack using open source DDoS attack tools. We propose a new DDoS defence mechanism that protects SIP servers from application-level DDoS attacks based on the two methodologies: IPtables and fail2ban detection. The attack flow detection mechanism detects attach flows based on the symptom or stress at the server, since it is getting more difficult to identify bad flows only based on the incoming traffic patterns. A popular software known as Wireshark which is a network protocol analyzer is used to capture the packets during DoS attack from the victim server Ethernet interface to detect the attacking host IP address and analysis the types of attack. We evaluate the performance of the proposed scheme via experiment