Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems

  • Gaston Ormazabal
  • Sarvesh Nagpal
  • Eilon Yardeni
  • Henning Schulzrinne
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5310)


Traditional perimeter security solutions cannot cope with the com-plexity of VoIP protocols at carrier-class performance. We implemented a large-scale, rule-based SIP-aware application-layer-firewall capable of detect-ing and mitigating SIP-based Denial-of-Service (DoS) attacks at the signaling and media levels. The detection algorithms, implemented in a highly distributed hardware solution leveraged to obtain filtering rates in the order of hundreds of transactions per second, suggest carrier class performance. Firewall performs SIP traffic filtering against spoofing attacks; and request, response and out-of-state floods. The functionality and performance of the DoS prevention schemes were validated using a distributed test-bed and a custom-built, automated testing and analysis tool that generated high-volume signaling and media traffic, and performed fine grained measurements of filtering rates and load-induced delays of the system under test. The test-tool included SIP-based attack vectors of spoofed traffic, as-well-as floods of requests, responses and out-of-state message sequences. This paper also presents experimental results.


SIP DoS DDoS VoIP Security Signaling Attacks Application Layer Firewall Deep Packet Inspection Distributed Computing Scalability 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol, RFC 3261 (June 2002)Google Scholar
  2. 2.
    Baugher, M., McGrew, D., Naslund, M., Carrara, E., Norrman, K.: The Secure Real-time Transport Protocol (SRTP)., RFC 3711 (March 2004)Google Scholar
  3. 3.
    VOIPSA VoIP Security and Privacy Threat Taxonomy,
  4. 4.
    Worldwide, I.S.P.: Security Report, Arbor Networks (September 2005),
  5. 5.
    CERT Advisory CA-, -06 Multiple vulnerabilities in implementations of SIP (2003),
  6. 6.
    Wieser, C., Laakso, M., Schulzrinne, H.: Security testing of SIP implementations. Technical Report (February 20, 2005),
  7. 7.
    Roedig, U., Ackermann, R., Steinmetz, R.: Evaluating and Improving Firewalls for IP-Telephony Environments. In: IP-Telephony Workshop (IPTel) (April 2000)Google Scholar
  8. 8.
    Yardeni, E., Schulzrinne, H., Ormazabal, G.: SIP-aware Application Layer Firewall with Dynamic Pinholes for Media, Columbia Technical Report (2006),
  9. 9.
    Yardeni, E., Patnaik, S., Schulzrinne, H., Ormazabal, G., Helms, D.: SIP-aware Application Layer Firewall with Dynamic Pinholes for Media, NANOG 38 (October 2006),
  10. 10.
    Wu, Y., Bagchi, S., Garg, S., Singh, N., Tsai, T.K.: Scidive: A stateful and cross protocol intrusion detection architecture for VoIP environments. In: International Conference on Dependable Systems and Networks (June 2004)Google Scholar
  11. 11.
    Niccolini, S., Garroppo, R.G., Giordano, S., Risi, G., Ventura, S.: SIP Intrusion Detection and Prevention: Recommendations and Prototype Implementation. In: IEEE Workshop on VoIP Management and Security (April 2006)Google Scholar
  12. 12.
    Sengar, H., Wijesekera, D., Wang, H., Jajodia, S.: Intrusion Detection Through Interacting Protocol State Machines. In: International Conference on Dependable Systems and Networks (2006)Google Scholar
  13. 13.
    Nassar, M., State, R., Festor, O.: VoIP Honeypot Architecture. In: IEEE International Symposium on Integrated Network Management (May 2007)Google Scholar
  14. 14.
    Chen, E.Y.: Detecting DoS Attacks on SIP Systems. In: IEEE Workshop on VoIP Management and Security at NOMS (April 2006),
  15. 15.
    Sengar, H., Wijesekera, D., Wang, H., Jajodia, S.: Fast Detection of Denial-of-Service Attacks on IP Telephony. In: IEEE International Workshop on Quality of Service (June 2006)Google Scholar
  16. 16.
    Geneiatakis, D., Dagiouklas, A., Kambourakis, G., Lambrinoudakis, C., Gritzalis, S., Ehlert, S., Sisalem, D.: Survey of Security Vulnerabilities in Session Initiation Protocol. IEEE Communications Surveys and Tutorials 8(3) (2006)Google Scholar
  17. 17.
    Sisalem, D., Kuthan, J., Ehlert, S.: Denial of Service Attacks Targeting a SIP VoIP Infrastructure- Attack Scenarios and Prevention Mechanisms. IEEE Network Special Issue on Securing VoIP 20(5) (2006)Google Scholar
  18. 18.
  19. 19.
    Columbia InterNet Extensible Multimedia Architecture (CINEMA),
  20. 20.
    Salsano, S., Veltri, L., Papalilo, D.: SIP security issues: the SIP authentication procedure and its processing load. IEEE Network 16(6) (2002)Google Scholar
  21. 21.
    Singh, K., Schulzrinne, H.: Failover and load sharing in SIP telephony. In: International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), Philadelphia, Pennsylvania (July 2005),
  22. 22.
    Schulzrinne, H., Narayanan, S., Lennox, J., Doyle, M.: SIPstone - benchmarking SIP server performance. sipstone 0402.pdf (April 2002),
  23. 23.
  24. 24.
  25. 25.
    MySQL, Open Source SQL server,

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Gaston Ormazabal
    • 1
  • Sarvesh Nagpal
    • 2
  • Eilon Yardeni
    • 2
  • Henning Schulzrinne
    • 2
  1. 1.Verizon LaboratoriesUSA
  2. 2.Department of Computer ScienceColumbia UniversityUSA

Personalised recommendations