Security of VoIP : Analysis, Testing and Mitigation of SIP-based DDoS attacks on VoIP Networks (2008)
Type of ContentTheses / Dissertations
Thesis DisciplineComputer Science
Degree NameMaster of Science
PublisherUniversity of Canterbury. Computer Science and Software Engineering
AuthorsDeng, Xianglinshow all
Voice over IP (VoIP) is gaining more popularity in today‟s communications. The Session Initiation Protocol (SIP) is becoming one of the dominant VoIP signalling protocol[1, 2], however it is vulnerable to many kinds of attacks. Among these attacks, flood-based denial of service attacks have been identified as the major threat to SIP. Even though a great deal of research has been carried out to mitigate denial of service attacks, only a small proportion has been specific to SIP. This project examines the way denial of service attacks affect the performance of a SIP-based system and two evolutionary solutions to this problem that build on each other are proposed with experimental results to demonstrate the effectiveness of each solution. In stage one, this project proposes the Security-Enhanced SIP System (SESS), which contains a security-enhanced firewall, which evolved from the work of stage one and a security-enhanced SIP proxy server. This approach helps to improve the Quality-of-Service (QoS) of legitimate users during the SIP flooding attack, while maintaining a 100 percent success rate in blocking attack traffic. However, this system only mitigates SIP INVITE and REGISTER floods. In stage two, this project further advances SESS, and proposes an Improved Security-Enhanced SIP System (ISESS). ISESS advances the solution by blocking other SIP request floods, for example CANCEL, OK and BYE flood. JAIN Service Logic Execution Environment (JAIN SLEE) is a java-based application server specifically designed for event-driven applications. JAIN SLEE is used to implement enhancements of the SIP proxy server, as it is becoming a popular choice in implementing communication applications. The experimental results show that during a SIP flood, ISESS cannot only drop all attack packets but also the call setup delay of legitimate users can be improved substantially compared to and unsecured VoIP system.