A comprehensive study of flooding attack consequences and countermeasures in Session Initiation Protocol (SIP)

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks (2015) Published online in Wiley Online Library (wileyonlinelibrary.com) RESEARCH ARTICLE A comprehensive study of flooding attack consequences and countermeasures in Session Initiation Protocol (SIP) Intesab Hussain 1, Soufiene Djahel 2 *, Zonghua Zhang 3 and Farid Naït-Abdesselam 1 1 Paris Descartes University, Paris, France 2 University College Dublin, Dublin, Ireland 3 Institut Mines-Telecom/TELECOM Lille, France ABSTRACT Session Initiation Protocol (SIP) is widely used as a signaling protocol to support voice and video communication in addition to other multimedia applications. However, it is vulnerable to several types of attacks because of its open nature and lack of a clear defense line against the increasing spectrum of security threats. Among these threats, flooding attack, known by its destructive impact, targets both of SIP User Agent Server (UAS) and User Agent Client (UAC), leading to a denial of service in Voice over IP applications. In particular, INVITE message is considered as one of the major root causes of flooding attacks in SIP. This is due to the fact that an attacker may send numerous INVITE requests without waiting for responses from the UAS or the proxy in order to exhaust their respective res. Most of the devised solutions to cope with the flooding attack are either difficult to deploy in practice or require significant changes in the SIP servers implementation. Apart from these challenges, flooding attacks are much more diverse in nature, which makes the task of defeating them a real challenge. In this survey, we present a comprehensive study of flooding attack against SIP, by addressing its different variants and analyzing its consequences. We also classify the existing solutions according to the different flooding behaviors they are dealing with, their types, and targets. Moreover, we conduct a thorough investigation of the main strengths and weaknesses of these solutions and deeply analyze the underlying assumptions of each of them for better understanding of their limitations. Finally, we provide some recommendations for enhancing the effectiveness of the surveyed solutions and address some open challenges. Copyright 2015 John Wiley & Sons, Ltd. KEYWORDS VoIP; SIP; network security; SIP security; intrusion detection; DoS *Correspondence Soufiene Djahel, University College Dublin, Dublin, Ireland. sdjahel@yahoo.fr 1. INTRODUCTION Voice over Internet Protocol (VoIP) is a fast growing internet service because of its flexible and easy deployment in addition to its lower cost compared with traditional telephone networks. Nowadays, many organizations are migrating their services from traditional telephone systems to VoIP. These services are easy to deploy but vulnerable to a bunch of security attacks as they are based on the IP platform. VoIP service uses H.323 and SIP [1] protocols to support audio-visual communication. SIP provides similar services to H.323 but with lower complexity and better scalability. SIP is an application layer protocol, which creates, modifies, and terminates communication sessions. It can be used with other Internet Engineering Task Force protocols to build complete multimedia architecture, for example, with Real Time Transport Protocol [2] and Session Description Protocol [3]. When two parties want to communicate with each other, the User Agent Client (UAC) sends a request to the corresponding User Agent Server (UAS). The user needs to register his current IP location with the combination of SIP addresses. The registration phase in SIP is a way to associate the SIP uniform re indicator (URI) with the machine into which the user is currently logged on. It helps to find the current location of the callee through the proxy. The proxy server queries the registrar that contains the location server, which is a database storing the Copyright 2015 John Wiley & Sons, Ltd.

2 Study of flooding attack consequences I. Hussain et al. Figure 1. SIP components. users record and their SIP URIs along with their current IP addresses. Notice that the caller does not have to register from a single device only and more than one user can be registered from the same device simultaneously. The SIP registration is used for routing incoming requests only. The calling party sends an INVITE request to the corresponding SIP proxy, which extracts the IP address of the callee and forwards the request. During this conversation, both parties exchange their ports and addresses. Afterwards, when they start their dialog, they bypass the proxies because they now know the location of each other from the contact header field. Figure 1 depicts the different components involved in a simple SIP conversation. Notice that the redirect server plays an important role in the conversation as sometimes the proxies are absent or busy because of the traffic load. This server provides alternative locations to the caller to reach its goal. Figure 2 shows an example of SIP session in which a single proxy is involved while Figure 3 illustrates a scenario of multiple proxies involved in SIP call establishment. Once the connection is established, both ends communicate directly without the help of the proxy. Many security mechanisms have been applied to protect SIP from various attacks, such as Transport Layer Security (TLS) [4], Hypertext Transfer Protocol digest authentication [5], IPsec [6], and Secure/Multipurpose Internet Mail Extensions [7]. However, none of them is silver bullet. Usually, digest authentication algorithm is the most frequently used authentication mechanism in SIP. It uses a trusted and pre-arranged environment with password distribution, but it is still vulnerable to man-in-the-middle attack. Moreover, it is only used to secure the SIP URI and does not adequately secure its header fields. On the other hand, IPsec role is restricted to the protection of multimedia conversation between the servers only. TLS is useful in inter-domain authentication, but the messages could be intercepted at any hop because of the lack of encryption at this specific hop. Consequently, TLS does not ensure Figure 2. Example of SIP session involving single proxy. end-to-end security. Without a public key infrastructure in VoIP environment, TLS cannot guarantee sufficient level of security. There are different types of attacks in SIP such as DoS attacks, call hijacking, toll fraud, Spams over Internet Telephony (SPIT), and vishing. DoS attack is the most harmful attack amongst all [8,9], as it exhausts the server res and the channel bandwidth. DoS attacks include signaling attacks, malformed packets, and flooding attacks. In the literature, most of the existing works, such as [10] and [11], focus on general DoS attack without providing any deep investigation of any of its causes (i.e., other attacks that lead to DoS). To fill this gap, we conduct in this survey an insightful overview on one of DoS attack categories, which is the flooding attack targeting SIP protocol. In [12], different DoS attacks were discussed and classified. As opposed to this work, we focus on one specific attack, which is flooding attack, that causes DoS and highlight the different techniques used by the attackers to launch it

3 I. Hussain et al. Study of flooding attack consequences Figure 3. Example of SIP session involving multiple proxies. against SIP. Additionally, we present an up-to-date survey of the pioneers countermeasures proposed to cope with this attack along with a deep analysis of their advantages and drawbacks. Finally, we present the lessons learnt from this study by suggesting some ideas or research directions for improving the effectiveness of those solutions or designing novel ones. The rest of the paper is organized as follows. Section 2 gives an overview on SIP components and request methods. In Section 3, we describe the flooding attack and its consequences on both the end user and the SIP proxy server. Section 4 highlights the different types of flooding attacks, followed by an overview on its behaviors in Section 5. Section 6 presents the most significant solutions in the literature, whereas Section 7 compares them according to several criteria. In Section 8, we discuss the different factors affecting the efficiency of the existing solutions, and finally, we conclude the paper in Section SIP COMPONENTS In this section, we present the essential components of SIP, as shown in Figure 1, as well as its main request methods which will be used throughout this survey to explain some notions related to flooding attacks. These components and their main role are described in the following. The proxy: a SIP proxy is an intermediate device that manages the setup of calls between SIP devices including the control of call routing, registration, authorization, and network access. All SIP calls must be routed through the proxy, which performs many call setup functions for SIP. The proxy routes the requests to the current location of the user, authenticates, and authorizes them. Meanwhile, it implements the policies given by the service provider and makes features available to the users. In SIP architecture, the SIP proxy manages several operations such as, call setup, call controlling, call routing, registration, network access, network security, and authorization. The end user: end user devices in a SIP system are called UA, which are logical end-points of SIP network. The entity sending a request is known as UAC, while the receiving end user is called UAS. The role of UAC and UAS lasts during the SIP transaction. A SIP transaction occurs between a client and a server and comprises all the messages from the first request sent from the client to the server up to a final (non-1xx) response sent from the server to the client. If the request is INVITE and the final response is a non-2xx, then the transaction also includes an ACK to the response. The ACK for a 2xx response to an INVITE request is considered a separate transaction. The SIP phone is a SIP user agent that provides phone functionalities. Notice that the traditional phone or soft-phone can be used as SIP phone as well. The registrar: registrar is a server that stores information about SIP URI to one or more IP addresses for its domain. More than one user agent can register at the same URI. Hence, all the registered UASs will receive a call to the SIP URI. The registrar is usually connected to the proxy; however, sometimes, it can be connected to the redirect server. The redirect server: redirect servers direct the traffic to the alternative SIP URIs when they receive redirection. The redirect servers connect the proxy to the external domains. Sometimes, they are used

4 Study of flooding attack consequences I. Hussain et al. Method REGISTER INVITE ACK CANCEL BYE OPTIONS INFO PRACK UPDATE REFER SUBSCRIBE NOTIFY MESSAGE PUBLISH Table I. Description of SIP methods. Description The end user indicates its current IP address and the URLs for which it would like to receive calls Used to establish a media session between end users Confirms reliable message exchanges between end users Cancel the ongoing session Terminates a session between two end users Is used to get the capabilities of a caller without initiating a call Transport signal during call Acknowledge the provisional response Updates the session information It helps to transfer a user to URI Postulate notification of an event Transport of subscribed event notification It transports the body of instant messages It helps to upload the current state of the server SIP, Session Initiation Protocol; IP, Internet Protocol; URLs, uniform re locators; URI, uniform re indicator. to reduce the processing load on proxy servers that are routing the information. In case the SIP server is temporarily unresponsive to a client s request, the redirect server forwards the routing information about the request to the desired destination, relinquishing from further communication. In this way, the redirect server helps to find out the location of the target. It is worth to mention that a redirect server generates redirect or 3xx responses to direct the clients to alternative sets of URIs, whereas SIP methods are used to initiate, terminate, cancel, and acknowledge the session. In Table I, we present the SIP request methods, among which REGISTER and INVITE, which are the most used approaches to launch a flooding attack. 3. THE CONSEQUENCES OF FLOODING ATTACKS In the last decade, Internet threats have seen a tremendous growth because of the advances in technology. DoS attack, illustrated in Figures 4 and 5, is one of the most hazardous Internet attacks. SIP inherits some threats from TCP/IP in addition to its vulnerability to some application level attacks. INVITE flooding attack is one of the most devastating attacks targeting SIP. In this attack, the attacker generates a large number of INVITE requests to exhaust the server and callee res. Both of SIP proxy and end user are vulnerable to flooding attack. As the proxy must be connected with the callee for several minutes, it is easy to keep it busy by sending overwhelming INVITE requests without waiting for the corresponding acknowledgment. Flooding attacks are also present in other technologies, for example, in named data networking [13], but the mechanism applied in this latter is different than that used in SIP to launch the attack. We distinguish several scenarios of flooding attack as described in the following. The attacker could be a legitimate SIP user, which means that he or she holds an account in the UAS. However, it overloads the callee by the flood of INVITE requests. Moreover, the attacker could be an outsider in case of the absence of authentication. This type of attack is not easy to detect because of the insecure environment. Another possibility of INVITE flooding could be the Distributed Denial of Service (DDoS) in which many attackers launch the attack from different locations in a distributed fashion. Therefore, coping with such attack is a real challenge. Figure 4. Illustration of invite flooding attack in case of single proxy.

5 I. Hussain et al. Study of flooding attack consequences Figure 5. Illustration of invite flooding attack in case of multiple proxies. In general, the SIP devices are capable of handling few requests simultaneously. In case of INVITE flood attack, the device is overloaded in terms of memory usage and processing [14]. Moreover, the communication channel becomes congested, leading to DoS at the end user side as well as at the proxy side and communication channel. Usually, SIP end user has limited res, and it is capable of handling a certain number of requests simultaneously, so the end user exhausts quickly than the proxy server. This latter may be blocked when it receives a large number of INVITE requests. In what follows, we discuss the three main consequences of INVITE flooding attack Memory consumption Memory consumption is a severe problem incurred by INVITE flooding attack. When the attackers launch the flooding attack, they directly affect the memory consumption at both the end user and the proxy server. The end user has less memory res than the proxy, so it is more vulnerable to this attack, and the attackers can use less efforts to exhaust his memory compared with the attack launched against the proxy. UAS copies all incoming messages into its buffer, then this buffered data could be treated in two ways, as stated in [1]. Session state: in the case of firewalls or Network Address Translation (NAT), the proxy server maintains the information during the whole session instead of the transaction duration only as in the previous case. Processor utilization is another critical issue during the flooding attack [15], as in most cases the processor utilization slows down the machines and creates DoS situation at the end user or at the proxy server side. Despite its critical nature, our focus in the rest of this paper is mainly devoted to the memory consumption because it is considered as the most destructive consequence of flooding attacks in the majority of the works in the literature. Communication channel exhaustion between the nodes is also a vulnerability that affects the communication delays during audio-visual services. However, this issue is not directly concerned with VoIP systems. Stateless servers, in which the buffered data are only maintained until the message has reached its destination. These types of proxy servers are less vulnerable to flooding attacks. Stateful servers, which is further split into two categories. Transaction state: in this case, the proxy server maintains the record from the beginning of the transaction to its end. Usually, the proxy waits for 3 min for the response from the callee, which makes it vulnerable to flooding attacks. Moreover, it needs to wait for the ACK signal for 64*TI, where in most cases, T1 value is equal to 500 s. Figure 6. Impact of INVITE flooding attack rate (i.e. number of received INVITE requests per second) on the SIP device response time.

6 Study of flooding attack consequences I. Hussain et al Impact of flooding attack on SIP server In Figure 6, we plot the response time to the different rates of INVITE requests sent by an attacker. In our previous work [16], different flooding rates were applied to INVITE and REGISTER methods. We have measured the response time to illustrate the delay induced by the increasing memory consumption of SIP devices during the attack. We draw the response time of an SIP device under different INVITE flooding rates. Note that the SIP device response time increases gradually with the increase of the number of INVITE requests sent by the attacker. Thus, these results show that the INVITE flooding attack has a detrimental impact on the memory consumption of SIP devices during the attack, which is the main reason of the delayed response of the callee to the caller. Figure 7. Same caller sending many requests simultaneously to the same callee. 4. FLOODING ATTACK STRATEGIES To launch the flooding attack, the attackers may use INVITE, REGISTER, and OPTION methods, but the most common and critical among them is the INVITE flooding as it leads to the exhaustion of the victim s res (i.e., memory, CPU, and bandwidth). Additionally, flooding attacks are diverse in nature and can be categorized based on different metrics, for example, stateful versus stateless proxy, internal versus external users, flooding attacks against end user versus flooding attacks against SIP proxy, and single flooding versus multiple flooding. In what follows, we classify the flooding attacks into three categories according to the number of s launching the attack and the technique used to conduct it. We then explain in detail the working principle of each of these categories Single flooding Figure 7 depicts a flooding scenario where a single caller is sending numerous INVITE requests simultaneously to create a flooding situation at the SIP proxy or the end user. In this type of attack the From header field should have always the same value Multiple flooding (DDoS) When a number of callers send many INVITE requests to block either the server or the end user on some particular time windows, as shown in Figure 8, this phenomena is called multiple flooding or DDoS SIP reflection flooding Sometimes, unauthorized SIP messages are generated through fake SIP calls using spoofing. This is done by analyzing the information contained in the headers of the messages. This type of attack targets any node by Figure 8. Different callers sending INVITE requests simultaneously (DDoS): arrival time is similar but IP addresses are different. using its IP address as a IP to exhaust a specific proxy. Nowadays, thousands of fake calls are generated through this technique known as distributed reflection DoS as shown in Figure 9. In this attack, the attacker node diverts different calls to the target node in order to exhaust its computing res, leading to break down of its service. 5. FLOODING ATTACKS BEHAVIORS In this section, we identify different behaviors of flooding based on the adopted attack rate. Indeed, SIP flooding varies according to the type of attack, its rate, and duration. Here, we present the four different behaviors of flooding to ease understanding the proposed classification. We have categorized the flooding behavior in four classes, as described in the succeeding discussions Abrupt flooding behavior When UAS receives multiple requests in abnormal manner, this implies that the flooding attack has no specific rate or

7 I. Hussain et al. Study of flooding attack consequences Figure 9. Illustration of reflection DoS attack. special behavior during flooding process. This is the most common type of flooding in SIP networks Very high flooding behavior In this attack, a large number of INVITE requests are injected to paralyze the system in a short time as described in [17]. The ultimate goal of the attacker is to seize the large VoIP network or to block the VoIP server in a short time Stealthy flooding behavior Sometimes, the attacker generates slow pace of flooding to avoid being detected by the detection systems. This type of attack is difficult to deal with as it is extremely hard to distinguish it from the normal behavior because of its low rate, and as it keeps the flooding rate just beneath the threshold. In [18], the stealthy attack is investigated wherein it is shown that the attacker slowly increases the flooding pace to launch its attack successfully Low rate flooding behavior In some cases, the flooding attacks are launched with low rate. In contrast to stealthy attacks, the low rate attack has approximately a constant flooding rate. Hence, its impact is limited to home users and small organizations. 6. TAXONOMY OF THE EXISTING SOLUTIONS In this section, we present the most significant solutions proposed in the literature to cope with flooding attacks in SIP. For the sake of clarity, we have classified them according to the flooding attack behavior considered in each solution Abrupt flooding behavior-based solutions The algorithm proposed in [19] uses an adaptive threshold, cumulative sum and hellinger distance techniques to deal with single flooding attack. This solution assumes that the attacker is an external and claims both single and multiple flooding prevention. In this solution, the adaptive threshold and cumulative sum techniques are applied to defeat SYN attack on transport layer, while hellinger distance is used to cope with the SIP flooding attack. Although this solution is not valid for spoofed flooding attacks, it does not address DDoS flooding, and the traffic data set used for performance evaluation is not real. Notice that the flooding rate used in the experiments varies from 25 calls/second to 500 calls/second. The authors in [20] have proposed an architecture to detect signaling and call hijacking attacks. Stateful and cross protocol intrusion detection architecture for VoIP environments contains distiller and all the traffic traversed through distiller, which translates packets to the information used by the architecture. These information units are called footprints. The footprint that resides into the same session are collected into trail. The rule matching engine matches the events and categorizes the footprints in event

8 Study of flooding attack consequences I. Hussain et al. generator. This architecture is useful to build an intrusion detection system. In order to detect the flooding attack, adequate rules that are able to detect the abnormal flow of signaling messages should be added to the architecture, as it has limited detection rules. In [15], several attacks have been addressed, including single flooding, multiple flooding, INVITE SYN and INVITE reflection flooding attacks. The authors have proposed bloom filters-based solution, where bloom filter is a vector V containing A elements and K hash functions used as index. Three different scenarios are applied for three different bloom filters to check if the number of INVITE requests, responses and acknowledgments are equal or not. To face DDoS, they have proposed session distance by which they check if the number of INVITES are equal to the half of the number of responses and acknowledgments. Initially, the session distance could be zero, which is an ideal situation. However, because of the network delay and the user response time, there should be some thresholds to trigger an alarm against the DDoS attack. This work has discussed three different scenarios based on the type and nature of the attackers, as described in the following. Scenario 1: legal requester to legal response generator. Scenario 2: malicious user versus innocent user. Scenario 3: malicious user addressed through proxy to clients belonging to non-existing domains. The main drawback of this solution is that if DDoS has session distance less than threshold, then all attackers are real users and have a legitimate access. Therefore, the attack cannot be detected by the threshold value of the alarm. Moreover, if two entries in bloom filter have the same value in concatenation of hash functions of a call, then it is considered that the traffic is analyzed during peak traffic hours to get the threshold value of session distance which could be variable. Notice that Bloom filter is used for both monitoring and detection. However, there is an ambiguity problem with the concatenation of the hash value in bloom filters. For example, two values could have the same hash function value. The work presented in [10] focused on bandwidth congestion and legitimate message flooding, and designed an analytical model to solve single flooding and cope with both internal and external attackers. This approach is based on an anomaly detection device placed before the proxy to detect the INVITE flooding by using finite state machine (FSM) mechanism. Each device has capability to detect flooding through different threshold parameters. It checks new session ID and error count, which are based on unknown session ID and new entry in the table. This solution requires to set up a detection device at every UAS, which is not a cost-effective solution. This solution is efficient only for stateful proxies but ineffective against spoofed and malformed messages. This solution has set up four different thresholds and whenever one of them is exceeded, the alarm is raised. It is worth-mentioning that this solution has not been tested in any platform. A special architecture is designed in [21], which has been used to implement a scalable prevention scheme for DoS attacks in SIP for single flooding. This solution focuses on external attackers targeting the proxy server. The authors have devised an approach that has SIP-aware firewall design composed of two filters: a dynamic pinhole filter for media traffic and a SIP-specific filter for signaling traffic. This solution is composed of different mechanisms such as return routability filter, rate-limiting filters, and SIP transaction state validation. A testbed has been developed to evaluate the efficiency of this solution. This solution cannot protect from the internal flaws of the network. Moreover, it does not have sufficient detection rules, and the proposed hardware is expensive. In [22], the authors have investigated two scenarios of SIP DoS attacks where the first attack is launched by external attackers, while the second is due to network misconfiguration. This work focuses on users monitoring in terms of false messaging, broken sessions, and sudden increase in the number of transactions for stateful proxies. It emphasizes on server design in the case of stateless proxy. However, there is no specific mechanism proposed for preventing INVITE flooding except for monitoring the traffic. Besides, only stateful proxy is considered in this work. The authors in [23] propose a whitelist approach to counter flooding attacks. They analyze four aspects of the attacks, including user ID, IP address, timestamp of the last registration and the expiration time in seconds. The evaluation of the proposed scheme is carried out by considering different factors, and the results are compared with PIKE Module of SIP Express Router. It is assumed that the messages are visible to the detection method proposed in this work (i.e., either they are not encrypted or decrypted by the analyzer). Moreover, this solution requires extensive modifications in UAS. In order to cope with the vulnerabilities of SIP, the framework proposed in [24] uses five modules: (i) discovery of the potential vulnerabilities, (ii) modeling of the discovered vulnerabilities, (iii) determining the operations to counter the modeled vulnerabilities, (iv) evaluation of the overall model, and (v) generating the appropriate reports. This framework ensures also the detection of SIP DoS attacks by calculating the number of completed calls, retransmitted calls, response time of all calls, call setup time, and the round-trip time. Hussain et al. [16] introduce a lightweight scheme to counter single flooding and DDoS attacks targeting SIP servers. The user-specified threshold, provided at the time of registration process, handles the number of calls to a particular SIP callee. Once the threshold for a particular callee has been reached, SIP proxy will block other incoming calls and make a waiting queue. The efficiency of this method against both internal and external attackers has been proven using a set of testbed experiments.

9 I. Hussain et al. Study of flooding attack consequences 6.2. Very high flooding behavior-based solutions A stream-based analysis technique to identify the single attacks against the SIP proxy is discussed in [25]. In this solution, a change point detection is proposed to deal with the change in traffic from normal to malicious using adaptive sliding window technique. Moreover, this solution is evaluated under different scenarios (e.g., fixed window and adaptive window). However, the ratio between the valid and false alarms was not defined. A distributed architecture is proposed in [17] to cope with DoS flooding attack. The proposed testbed, which consists of controllers and filters, is able to defeat single flooding only. This solution suggests to deploy Intrusion Detection System (IDS) at both caller and callee. It has two main drawbacks which are the following: first, it assumes that users IDs are not spoofed and second, it requires that the local registrar is on the Base Station Identifier Controller (BSIC). The solution proposed in [26] is dealing with both single and multiple flooding for external users. It is layer independent and uses a filter, as part of an existing IDS, followed by an analyzer to check the traffic. This solution is designed specifically for protecting the proxy server. SIP messages are managed in a grid of a two-dimensional array. The grid of old messages should be XORed with the new messages; if the difference exceeds a threshold, then it would be treated as a new message. The new set of filters will create new masks. If these masks are similar, then it will add one point. Thus, when the mask has sufficient points, it will be taken as a filter rule or a template. In case of two attacks launched simultaneously, this solution proposes a moving threshold, which could be obtained through multiple masks. This solution, however, is costly to cope with DDoS attacks as it requires a large number of masks and may trigger a large number of false alarms. By leveraging spatial and temporal features, the solution presented in [27] classifies and detects SIP DoS, DDoS, and SPIT attacks on the basis of packet-based analysis. The authors of this work performed a set of experiments using their testbed to evaluate the efficiency of their solution under different patterns and variations of SIP traffic. Their main focus was on packet analysis, features computation, and finally, the classification of different attacks. However, SIP reflection attack is out of the scope in this work Stealthy flooding behavior-based solutions In this research work [18], stealthy attacks are addressed where an intelligent attacker deliberately increases the traffic by launching a flooding attack using slow pace. The proposed solution is a combination of sketch with wavelet technique and is based upon the wavelet analysis that senses the attack after an abrupt change in the energy of the corresponding signal is detected. To provide raw signals to wavelet, this work uses sketch technique which converts normal signals into fixed chunks. To summarize, this work is based on two steps, sketch traffic summarization and wavelet-based attack detection. Simulations are performed under low flooding rate during a long period of time. The detection efficiency of this solution is evaluated, via simulation, under both the traditional SIP flooding attack and the stealthy flooding attack using a fixed attack duration. The VoIP Flooding Detection System (VFDS) proposed in [28] includes two phases, training phase, and test phase. The VFDS is validated for single flooding on the proxy server. The hellinger distance technique is applied, in this scheme, to calculate the probability distribution between the above two sets (i.e., training and test sets). The authors have processed 25 calls/second to 50 calls/second on their testbed. During peak hours, 70 calls/second are treated. However, the traffic deviation between normal and attack traffic is not highlighted. Queuing theory is also proposed in [29] to mitigate the single flooding attack s impact on SIP proxy. To overcome the problem of blocking legitimate users, the authors have used two types of queues, low and high priority queue. The attacker s requests are stored in low priority queue, while the legitimate caller s requests are assigned to high priority queue. However, this mechanism does not identify the attack type. Distributed DoS attack and its different patterns have been addressed in [30]. The essential components of this solution are SIP information database, security event database, SIP-aware DDoS detection module, bet-flow traffic, and sensor management module. This scheme gathers the information from incoming traffic for analysis purposes. Furthermore, the anomaly detection mechanism scans SIP traffic on the basis of user behavior, call behavior, and network status. This scheme has been implemented in a testbed environment containing four modules: SIP service provider, attackers, victims, and subscribers. This solution has proven its efficiency according to the performance evaluation results; however, the accuracy of the threshold used in this model has not been discussed. Another countermeasure is proposed in [31] to detect the flood of ringing that leads to re exhaustion at stateful proxy. This work is useful in the case where an attacker abuses the SIP protocol by increasing the number of transactions internally. However, it cannot mitigate the INVITE flooding attack. Moreover, this work focuses on the stateful proxies only and does not provide any countermeasure for the attacks against other types of proxy. In addition, there is a possibility of false alarm in this proposed countermeasure and DDoS is out of scope. The solution proposed in [32] detects DoS attacks using an entropy-based IDS. In such a system, however, an attacker can sniff the network and obtain an entropy value. In other words, entropy-based DoS solutions are vulnerable to spoofing attack because an attacker can keep the entropy value within an expected range and, therefore, provide realistic conditions to DoS attacks to occur. In contrast, a DDoS attack requires different steps in entropy-

10 Study of flooding attack consequences I. Hussain et al. based spoofing. First, the attacker monitors the entropy before launching the attack and then calculates the mean, standard deviation and variance values. Subsequently, it spoofs the entropy during the attack. The authors show that this detection system can be deceived because the spoofed packets not only penetrate into the network but also help DoS attacks to occur Low rate flooding behavior-based solutions To cope with the flooding attacks, Tang et al. [33] have integrated the two schemes known as sketch and Hellinger distance. Sketch technique is used to store the table of hash functions, which has SIP address as value and the number of INVITE requests as related value. The detection scheme is based on two tables, the training set and the test set. The training set is the hash table created in the normal conditions, and the test hash table is presenting the traffic behavior. Hellinger distance is used to compare two probability distributions during training and test phases. The threshold value is the resulted value from comparing Hellinger distance of both training and test phases. This scheme introduces the notion of estimation freeze, which freezes the threshold value to avoid its increase during an attack. The voting procedure is used when multiple hash tables have deviation between the two sets of data. This solution protects from the flooding attack, but it is still insufficient to deal with DDoS attacks. DDoS and RDDoS are not implemented in this scheme, while multi-attribute attack has expensive computation cost. In this scheme, 35 to 500 calls/second are treated and the duration of each call is considered as 30 s (i.e., this scheme is evaluated under fixed length calls only). This scheme is proposed for the proxy server and considers both single and multiple flooding. Self-adaptive probability model is proposed in [34] to protect the SIP proxy against both single and DDoS flooding attacks. This model addresses the four possible states, stateful proxy, stateless proxy, devices having threshold, and devices without threshold. Each device updates its current strategy based on its experiments and future predictions in a given time. This probability model is implemented in the real time VoIP traffic to avoid the INVITE flooding attack. In [11], INVITE and REGISTER flooding are defended against 10 to 20 calls/second for single DoS attack on proxy. They have upgraded the firewall with Improved Security Enhanced SIP System by adding a predictive nonce checking to mitigate the spoofed messages. Additionally, it generates cryptographic functions on a few SIP headers known by firewalls. For high accuracy and high level, they have proposed to change the cryptographic values every 30 s. The calls are classified into three categories according to the priorities. This solution is easy to implement, but DDoS is out of scope. Additionally, the firewall must be a part of VoIP environment, which is not always the case. In [35], the authors have proposed finite server transaction state machine to analyze high traffic flows for single flooding attack detection and mitigation. This system is implemented in a testbed architecture to validate its model, but it is costly and works for the proxy server only. Low rate DoS attack is discussed and evaluated in [36]. The developed detection scheme is a combination of the following three modules: a hash computation efficiency module, which calculates the ratio of REGISTER requests using MD5 digest; successful URI binding module, which calculates the ratio of total number of successful bindings to the total number of messages received; and registration drop efficiency module, which calculates the ratio of rejected URI bindings. The solution calculates these values every 10 s to detect flooding calls and implemented for low rate DoS attacks and the flash crowd. The proposed scheme has been evaluated in a testbed under single flooding only. In [37], the authors have proposed to exploit the call duration parameter to detect single flooding attack targeting the SIP proxy. According to this solution, if many calls have short time (e.g., less than 5 s), then those calls are considered as floods. To check the session time, they checked the time of 200 OK and BYE, and chi-square distance is used to measure the distance. However, this solution cannot prevent the false alarms, and the normal call duration varies from 5 to 20 s. The work presented in [38] describes SIP flooding attacks in IP Multimedia Subsystem and gives an evaluation based on fuzzy comprehension. In this work, an analytic hierarchy process is used to calculate the evaluation indexes through which malicious traffic can be distinguished from normal traffic. Additionally, an error reduction method, based on a multiple fuzzy arithmetic operators, is adopted to analyze these attacks on low-rate flooding. The main drawback of this work is the lack of evaluation of the attacks success probability. For further details on SIP and its vulnerabilities, the reader can refer to other recent works which are not addressed in our survey but could be very beneficial for early stage researchers [39 47]. 7. COMPARISON AND ANALYSIS OF THE SURVEYED SOLUTIONS A summary of the characteristics of the surveyed solutions is presented in Table II. In this table, we compare these solutions according to their degree of robustness to the flooding attack type dealt with, the applied flooding behavior, the target/victim node, the attackers type, and the validation tools. A detailed description of these criteria is given in the succeeding discussions. Type of attack: as discussed earlier in Section 4, the flooding type defines the approach used by the attacker to launch the attack. Flooding behavior: it defines the flooding pattern applied by the attacker.

11 I. Hussain et al. Study of flooding attack consequences Table II. Comparison of the surveyed solutions based on their characteristics. Scheme Attack type Flooding type Target Flooding behavior Validation mechanism Chen01 [10] Internal and External Single Proxy and end user Abrupt Analytical model Akber01 [19] External Single, multiple End user Abrupt Simulations Kim [26] External Single, multiple Proxy Very high Testbed Oram [21] External Single Proxy Abrupt Testbed Sisalem [22] External Single Proxy Abrupt Analytical model Conner [31] Internal attacks Single Source, multiple Proxy Stealthy Testbed Sung [20] Internal and external Single, multiple Proxy, probably end user Abrupt Testbed Yoon [30] External Single and multiple End user, probably proxy Stealthy Testbed Geneiatakis [15] Internal and external Single, multiple Proxy and end user Abrupt Testbed Elhert [35] Internal and external Single Proxy Low rate Testbed Felipi [17] Internal and external Single Proxy, probably end user Very high Testbed Jin01 [33] Internal and external Single and multiple Proxy Low rate Simulation Deng [11] Internal and external Single Proxy Low rate Simulations Sengar [28] Internal and external Single Proxy Stealthy Testbed Xiao [29] Internal and external Single Proxy Stealthy Simulation Jin02 [18] Internal and external Single Proxy Stealthy Simulation Intesab01 [34] Internal Single and multiple Proxy Low rate Simulations Chen02 [23] Internal and external Single Proxy probably Abrupt Simulation Wenhai [25] Internal and external Single Proxy Very high and Simulation low rate Yang [37] Internal and external Single Proxy, probably end user Low rate Testbed Kumar [36] Internal and external Single Proxy, probably end user Low rate Testbed Intesab02 [16] Internal and external Single and multiple Proxy and end user Low rate and abrupt Simulation Ozcelik [32] External Single and multiple Proxy Stealthy Simulation Guo [38] External Multiple Proxy Low rate Simulation Alidoosti [24] External Multiple Proxy Abrupt Testbed Akber02 [27] External Multiple Proxy Very High Testbed Attack victim: in SIP networks, DoS attacks are often directed to either the SIP proxy or the end user. In some cases, the RTP servers, Domain Name System (DNS) servers, and network gateways could also be victims. Note that, in this survey, we are focusing on the proxy server and the end user only. Proxy server: the proxy servers are more powerful in terms of memory compared to the end users. To exhaust their res, the attackers need to conduct very high flooding behavior attack for a long duration. End user: usually, the end user has less res than the server; thus, it is easy to exhaust them. Attackers type: the attackers launching a flooding attack can be classified into two main categories (internal or external) according to whether the attacker is an authenticated user belonging to the SIP network or an un-authenticated outsider user. Internal attacker: is an authenticated user, registered with the proxy server, that sends malicious INVITE and REGISTER requests to exhaust the proxy res. The internal users are usually difficult to detect because of their authentication. External attacker: in this category, due to the lack of authentication any node can launch a flooding attack. 8. CRITICAL ANALYSIS Usually, the main approach used to detect flooding attacks in SIP adopts the threshold-based rate limiting method in which the proxy counts all incoming messages regardless

12 Study of flooding attack consequences I. Hussain et al. Table III. Advantages and limitations of the surveyed solutions. Scheme Advantages Limitations Assumptions Chen01 [10] Simple 1. Only works for stateful proxies. Needs to put detection mechanism in 2. Does not useful for spoofed and front of every device malformed messages Akber01 [19] Moving average Does not work for spoofed messages 1. Platform dependent 2. Efficient for for threshold single flooding Kim [26] Layer independent 1. Solution is not implemented. 1. Proposed filter must be the part of IDS 2. Costly for DDoS. 3. Identical payload considered 2. Absence of Secure SIP and TLS 3. Chances of false alarm are high Oram [21] Filters used 1. Cannot protect from internal Limited detections rules flaws (If the inside node is malicious). 2. Expensive hardware proposed Sisalem [22] Works for broken Only monitoring is discussed For stateful proxy messages Conner [31] Good for Internal flaws 1. Consider only stateful proxy 1. DDoS is out of scope 2. Possibility of false alarms Sung [20] Work for call hijacking Limited detection rules No assumption Yoon [30] Distributed attack studied Threshold is not accurate For test environment Geniatakis [15] Valid for multiple Ambiguity in the bloom filter No assumption attack types Elhert [35] Experiments are Not applicable to DDoS Snort added at each entry point validated in different scenarios Felipi [17] Huge flooding Detection will work once 1. Local registrar must be BSID attacks are dealt attack started controller 2. IDS must be deployed on both ends 3. User ID must not spoofed Jin01 [33] Adaptive threshold 1. DDoS not implemented 1. Duration of call is considered 2. Multi-attribute attacks as 30 s in flooding 2. Memory has expensive calculations. should be high Deng [11] Easy to implement DDoS is out of scope Firewall must be present in the Sengar [28] Training and test Deviation from normal to VoIP environment 25 to 50 phase analyzed attack traffic is unknown calls/second considered. Xiao [29] Responses cannot Does not categorize the attack types No assumption be discarded easily Jin02 [18] Detect the attacker DDoS is not implemented Attack duration is considered for 30 s with slow pace Intesab01 [34] 1. Probabilistic model Chances of false alarm Discrete time intervals for SIP proxy 2. Easy implementation 3. Less costly Chen02 [23] Various flooding attacks Requires modification in SIP server 1. Messages are visible to analyzer. 2. Either messages are un-encrypted or analyzer can decrypt with the key. 3. The client with valid used credentials are legitimate. Wenhai [25] Hybrid attack analysis Ratio between alarm and False alarm are not compared false alarm is not defined. with threshold. Yang [37] Call duration analysis Rate of false alarms are high Less than 5 s call are short and more than 20 s calls are considered as long calls. Kumar [36] Low rate DoS attacks Not applicable to DDoS Platform dependent Intesab02 [16] 1. Lightweight scheme False alarm in case of flash crowd No assumption for proxy 2. Work for DoS and DDoS 3. Easy to implement 4. Less costly

13 I. Hussain et al. Study of flooding attack consequences Table III. Continued. Scheme Advantages Limitations Assumptions Ozcelik [32] Network monitoring It is unknown whether the variation Low false positive rates system in spoofed traffic in necessary for different rates or due to other system traffic. Guo [38] Designed for IMS The success probability of an attack To check the effectiveness of this mechanism applications is not evaluated. the generated attack must be successful. Alidoost [24] Used different Normal traffic is ignored. No assumption call behaviors to evaluate its efficiency Akber02 [27] Detect both flooding SIP reflection attacks are not considered. No assumption and SPIT attacks DDoS, distributed denial-of-service attack; SIP, Session Initiation Protocol; TLS, Transport Layer Security; IDS, intrusion detection system; BSID, Base Station Identifier; IMS, IP Multimedia Subsystem. of their s. In reactive detection schemes, this mechanism requires an important change by adding a separate counter for each individual. In case of traffic load variation in real time communication the flooding threshold should be dynamic accordingly, for example, the traffic pattern may change in different times of the day (days hours versus night hours) and in different days of the week (working days versus holidays). Moreover, sudden increase of messages could occur like in emergency circumstances, and sometimes, the traffic may change abruptly where many messages could arrive at the same time (not actually the state of flooding). Many researchers have applied a static threshold to distinguish the attack situation from the normal conditions, while others have adopted a dynamic threshold to reflect the traffic load variation discussed above. However, we should be careful for the usage of dynamic threshold because a smart attacker can gradually increase the traffic to bypass the alarm set for the attacks detection. Referring to the different solutions presented and discussed in this paper, we can conclude that most of the existing flooding-based DoS solutions are either difficult to deploy or require an extensive change in the servers and codes, etc, in order to perform effectively. Moreover, we remark that some key factors may affect the efficiency and robustness of those solutions, such as: Time threshold: in practice, it is difficult to specify a particular time threshold or time window to measure DoS attack. As users may vary from a common user to businessman, news agent, stock exchange worker and official person, specifying a precise calls frequency for a callee is an extremely hard task. Therefore, the heterogeneity of SIP users prevents the researchers from setting a particular time threshold for their schemes. Attack or emergency situation: in some cases, it is difficult to distinguish between the malicious behavior and the emergency situation. If we suppose that the callee is getting enormous number of calls because of any emergency or special occasion, then it would be very difficult to ascertain that this situation is an attack or a an emergency. Internal users: it is crucial to monitor the internal users than the external attackers. Here, an internal attacker refers to a user with legal status in the network. Because of misconfiguration or being victim of IP address spoofing attack, internal users can be seen as an attacker. Implementation cost: the implementation cost is an important metric to consider when we design a countermeasure for any attack, including SIP flooding. Usually, the designed solutions are not cost-effective, which makes them not suitable for small-scale VoIP organizations. Therefore, it is more judicious to minimize the design cost and take it into account at early stages of the design lifetime. Table III highlights the advantages and weaknesses of the different solutions discussed in this survey and provides critical analysis of the assumptions used in each of these solutions. These assumptions are usually the main drawback of these solutions because they limit their applicability to some specific scenarios only. Additionally, they may not be realistic assumptions so they can never be held in a real scenario. To conclude, we can remark from this table that most of the proposed solutions are designed for explicit situations, which means that they are platform dependent and cannot work in different configurations. 9. CONCLUSION Nowadays, many organizations are shifting from traditional telephone networks to the VoIP because of communication feasibility and cost efficiency of this emerging technology. SIP, which is the integral part of the protocol