Model-Checking DoS Amplification for VoIP Session Initiation

  • Ravinder Shankesi
  • Musab AlTurki
  • Ralf Sasse
  • Carl A. Gunter
  • José Meseguer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)


Current techniques for the formal modeling analysis of DoS attacks do not adequately deal with amplification attacks that may target a complex distributed system as a whole rather than a specific server. Such threats have emerged for important applications such as the VoIP Session Initiation Protocol (SIP). We demonstrate a model-checking technique for finding amplification threats using a strategy we call measure checking that checks for a quantitative assessment of attacker impact using term rewriting. We illustrate the effectiveness of this technique with a study of SIP. In particular, we show how to automatically find known attacks and verify that proposed patches for these attacks achieve their aim. Beyond this, we demonstrate a new amplification attack based on the compromise of one or more SIP proxies. We show how to address this threat with a protocol change and formally analyze the effectiveness of the new protocol against amplification attacks.


Model Check Session Initiation Protocol Proxy Server Statistical Model Check Session Initiation Protocol Message 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Blanchet, B., Fournet, C.: Just fast keying in the pi calculus. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 340–354. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Agha, G., Gunter, C.A., Greenwald, M., Khanna, S., Meseguer, J., Sen, K., Thati, P.: Formal modeling and analysis of DoS using probabilistic rewrite theories. In: International Workshop on Foundations of Computer Security, FCS 2005 (2005)Google Scholar
  3. 3.
    Agha, G., Meseguer, J., Sen, K.: PMaude: Rewrite-based specification language for probabilistic object systems. Electronic Notes in Theoretical Computer Science 153(2), 213–239 (2006)CrossRefGoogle Scholar
  4. 4.
    AlTurki, M., Meseguer, J., Gunter, C.A.: Probabilistic modeling and analysis of DoS protection for the ASV protocol. Electron. Notes Theor. Comput. Sci. 234, 3–18 (2009)CrossRefGoogle Scholar
  5. 5.
    Chadha, R., Gunter, C.A., Meseguer, J., Shankesi, R., Viswanathan, M.: Modular preservation of safety properties by cookie-based DoS-protection wrappers. In: Formal Methods for Open Object-Based Distributed Systems, pp. 39–58 (2008)Google Scholar
  6. 6.
    Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., Talcott, C.: All About Maude - A High-Performance Logical Framework: How to Specify, Program, and Verify Systems in Rewriting Logic. LNCS. Springer, Heidelberg (2007)zbMATHGoogle Scholar
  7. 7.
    Denker, G., Meseguer, J., Talcott, C.L.: Protocol specification and analysis in Maude. In: Proc. of Workshop on Formal Methods and Security Protocols (1998)Google Scholar
  8. 8.
    Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Multiset rewriting and the complexity of bounded security protocols. J. Comput. Secur. 12(2), 247–311 (2004)CrossRefGoogle Scholar
  9. 9.
    Escobar, S., Meadows, C., Meseguer, J.: A rewriting-based inference system for the NRL protocol analyzer and its meta-logical properties. Theor. Comput. Sci. 367(1), 162–202 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Goodloe, A.E.: A Foundation for Tunnel-Complex Protocols. PhD thesis, University of Pennsylvania (2008)Google Scholar
  11. 11.
    Gupta, P., Shmatikov, V.: Security analysis of voice-over-ip protocols. In: 20th IEEE Computer Security Foundations Symposium, Venice, Italy, pp. 49–63. IEEE Computer Society Press, Los Alamitos (2007)CrossRefGoogle Scholar
  12. 12.
    IETF. SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard), Updated by RFCs 3265, 3853, 4320, 4916, 5393 (June 2002)Google Scholar
  13. 13.
    IETF. Addressing an Amplification Vulnerability in Forking Proxies draft-ietf-sip-fork-loop-fix-00. Internet-Draft (February 2006)Google Scholar
  14. 14.
    IETF. Addressing an Amplification Vulnerability in Session Initiation Protocol (SIP) Forking Proxies. RFC 5393 (Proposed Standard) (December 2008)Google Scholar
  15. 15.
    Kim, M.-Y., Stehr, M.-O., Talcott, C., Dutt, N., Venkatasubramanian, N.: A probabilistic formal analysis approach to cross layer optimization in distributed embedded systems. In: Bonsangue, M.M., Johnsen, E.B. (eds.) FMOODS 2007. LNCS, vol. 4468, pp. 285–300. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Lafrance, S., Mullins, J.: An information flow method to detect denial of service vulnerabilities. J. UCS 9(11), 1350–1369 (2003)MathSciNetGoogle Scholar
  17. 17.
    Mahimkar, A., Shmatikov, V.: Game-based analysis of denial-of-service prevention protocols. In: IEEE Computer Security Foundations Workshop (CSFW-18 2005). IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  18. 18.
    Meadows, C.: A formal framework and evaluation method for network denial of service. In: CSFW, pp. 4–13 (1999)Google Scholar
  19. 19.
    Meseguer, J.: Conditional rewriting logic as a unified model of concurrency. Theor. Comput. Sci. 96(1), 73–155 (1992)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Meseguer, J.: Rewriting logic and maude: a wide-spectrum semantic framework for object-based distributed systems. In: Smith, S.F., Talcott, C.L. (eds.) FMOODS. IFIP Conference Proceedings, vol. 177, pp. 89–117. Kluwer, Dordrecht (2000)Google Scholar
  21. 21.
    Sen, K., Viswanathan, M., Agha, G.A.: On Statistical Model Checking of Stochastic Systems. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 266–280. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Wang, X., Zhang, R., Yang, X., Jiang, X., Wijesekera, D.: Voice pharming attack and the trust of VoIP. In: SecureComm 2008: Proceedings of the 4th international conference on Security and privacy in communication netowrks, pp. 1–11. ACM Press, New York (2008)Google Scholar
  23. 23.
    Younes, H.L.S., Simmons, R.G.: Statistical probabilistic model checking with a focus on time-bounded properties. Inf. Comput. 204(9), 1368–1409 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Yu, C.-F., Gligor, V.D.: A specification and verification method for preventing denial of service. IEEE Trans. Softw. Eng. 16(6), 581–592 (1990)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Ravinder Shankesi
    • 1
  • Musab AlTurki
    • 1
  • Ralf Sasse
    • 1
  • Carl A. Gunter
    • 1
  • José Meseguer
    • 1
  1. 1.University of Illinois at Urbana-ChampaignUrbanaUSA

Personalised recommendations