Design and implementation of SIP-aware DDoS attack detection system

By: Arif Iqbal

Distributed Denial of Service

Types of DDoS Attacks

Physical Layer

Internet Layer

Transport Layer

Data Link Layer

Network Centric Attack

Application Layer

Application Layer Attack

Application Layer

Transport Layer

Internet Layer

Physical Layer

Data Link Layer

Why DDoS Attack

. Very Easy to Launch

. No Special Resources Required

. No special Skills are required

. Target are open on internet -> TO receive all request.

Attack Detection System

. SIP application traffic statistics

. SIP DDoS attack detection threshold Stored. Applying knowledge base rules to each user agent. Monitoring activities of -> User -> Call -> Server

User behavior Analysis

. REGISTER Message Transmit Period

. Number of INVITE Message

. From/ To/ Call-ID Ratio Analysis

. Top N traffic User Analysis

Call Behavior Analysis

. Call-ID/SSRC Ratio Analysis

. Req/Res Ratio Analysis

. Method per Transmission Rate Analysis. IP/URI Ratio Analysis within REGISTER Message. RTP Seq. No Randomness per SSRC

Server/network Status Analysis

• SIP/RTP Traffic Volume Transition Analysis

• Status code Ration Analysis per server

• QoS Change Analysis

Test Environment

Critique and Criticism

Critique and Criticism

. Transport Layer Security-> UDP flood -> TCP state exhaustion attacks-> SYN floods. IP Layer Security-> Spoofed Internet Protocol(IP) packet floods-> ICMP flood attacks. . Data Link Layer Security-> Fragmentation Attack

Thanks

Any Question