Transcript Slide 1

Fast Detection of Denial-of-Service
Attacks on IP Telephony
Hemant Sengar, Duminda Wijesekera and Sushil Jajodia
Center for Secure Information Systems, George Mason University
And
Haining Wang
Department of Computer Science, College of William and Mary
Outline
IP Telephony and Security Threats

Flooding DoS Attacks
Related Work
Observation of Protocol Behaviors
Design of vFDS
Performance Evaluation
Conclusion
IP Telephony
Telecommunication Network
Signaling
SSP
Plane
A
SSP
B
STP
C
D
STP
Voice
Plane
IP Network
Signaling
Link
M3UA
SG
Megaco
Telecommunication Network
SIP/SIP-T
M3UA
MGC
MGC
Megaco
Signaling
Link
SSP
E
SG
Signaling
Plane
RTP Media Stream
Exchange A
Exchange C
Voice
Trunks MG
RTP
SIP
IP Phone
SIP
RTP
Voice
Trunks
MG
Voice
Plane
Exchange E
PC
Marriage of IP with traditional Telephony
VoIP uses multiple protocol for call control and data delivery
SIP-based IP Telephony
Threats
Device mis-configuration
Improper usage of signaling messages
DoS attacks (towards SIP Proxy server or
SIP UAs)

SIP UA may issue multiple simultaneous
requests
VoIP telephony is plagued by known Internet
Vulnerabilities (e.g., worms, Viruses, DoS attacks
etc.) as well as threats specific to VoIP.
Our Focus
Denial of Service Attacks due to Flooding


TCP-based SIP entities are prone to SYN
flooding attack
At the application layer :
 INVITE Flooding (SIP Proxy or SIP UA)
 RTP Flooding to SIP UA
Previous Work
Based on Sequential Change Point Detection Scheme
•SYN-Dog
•ALAS (Application Layer Attack Sensor)
•TLAS (Transport Layer Attack Sensor)
Observes the difference between two attributes
{SYN, SYN-ACK} or {SYN, FIN}
{INVITE, 200 OK}
Shortcomings:
1) Does not present a holistic view of protocol behavior
2) RTP stream does not have any attribute pair
TCP Protocol Behavior (I)
Front Range GigaPoP, November 1, 2005
TCP Protocol Behavior (II)
Digital Equipment Corporation, March 8, 1995
SIP Protocol Behavior
RTP Traffic Behavior
G.711 Codec (50 packets per second)
Observations
In spite of traffic diversity, at any instant of
time, there is strong correlation among
protocol attributes

In RTP:
 Derived Attributes :
Gaps between Attributes remain relatively stable
Challenges
Is it possible to compare and quantify the
gap between a number of attributes (taken
at a time), observed at two different
instants of time ?
Determine whether two instants of time
are similar (or dissimilar) with respect to
protocol attributes behavior
Detection Scheme
Hellinger Distance
P and Q (each with N attributes) are two probability measures with
and
Distance satisfies the inequality of
The distance is 0 when P = Q .
Disjoint P and Q shows a maximum distance of 1.
Distance Measurement :
Hellinger Distance of TCP Attributes
P is an array of normalized frequencies
over the training data set
Q is an array of normalized frequencies
over the testing data set
Distance between P and Q at the end of (n+1)th time
period
Hellinger Distance of TCP Attributes :
Hellinger Distance of SIP Attributes
INVITE, 200 OK, ACK and BYE
Hellinger distance of RTP Attributes
Detection Threshold Setup
Estimation of the threshold distance is an
instance of Jacobson’s Fast algorithm for RTT
mean and variation
Gives a dynamic threshold
Threshold Hellinger Distance
Detection of SYN Flooding Attack
Detection of INVITE Flooding
Detection of RTP Flooding Attack
Detection Accuracy and Time
High Detection Probability (> 80%)
Varies between 1-2 observation periods
Detection resolution and sensitivity
depends upon


Value of observation time period
Low value is better but at the cost of
computational resources
Conclusion
vFDS utilizes Hellinger distance for
online statistical flooding detection

Holistic view of protocol behaviors

Simple and efficient

High accuracy with short detection time
Questions