Denial of service (DoS) and distributed denial of service (DDoS) attacks are serious problems occurring for service providers and businesses operating equipment in a packet network. The problems can arise when Realtime Transport Protocol (RTP) is being implemented but may arise with other protocols operating in the packet network.
RTP is a protocol implemented to carry content in a packet network. The content may be audio, video, or other media in packet form. RTP packets move across the packet network in data streams from one endpoint to another. These RTP streams contain timestamp and sequence number fields in each RTP packet. Each RTP packet may be uniquely identified by a timestamp and sequence number. As an RTP stream progress, the timestamp and sequence number fields in each RTP packet typically increment in a predictable pattern. Several things may influence the predictable pattern including, but not limited to, the type of codec in use.
One of the drawbacks to RTP is that it allows flexibility in determining what is an acceptable RTP packet based on its timestamp and sequence number fields. Variations in the timestamp and sequence number fields are allowed in RTP which may lead to invalid packets being allowed in the packet network.
One issue that is not adequately addressed within the art concerns denial of service (DoS). One exemplary DoS attack utilizes a hostile machine creating forged (spoofed) messages that appear to originate from legitimate senders. The hostile machine sends the spoofed messages to a targeted destination. With a sufficiently large number of spoofed messages, the target's phone (or data) services become clogged and rendered inoperable.
A successful DoS attack may result in crashing a particular element. When dealing with a phone, the phone may no longer accepts user input and no longer be unusable. Furthermore, the element may enter a reboot cycle as a result of the DoS attack and/or the element may require manual intervention to bring the element back online. Successful DoS attacks may also result in the inability of the element to process additional calls since the element is flooded with malicious messages and cannot process valid messages. Thus, the DoS attack makes service unavailable to legitimate users, who will typically experience a busy signal or “dead air.” Finally, a successful DoS attack often results in degradation in the voice quality of the service. This degradation is due, in part, to a decrease in available band-width and processor resources.
Even more dangerous than DoS attacks are distributed DDoS attacks. DDoS attacks are more malicious since an attack on a targeted element may originate from several sources simultaneously. The objective is to flood the targeted element with malicious or invalid packets to achieve the same goal as discussed above for an ordinary DoS attack. The targeted element becomes overwhelmed with malicious or invalid packets to the point where it ceases operation or go into an initialization phase.
Some businesses have implemented techniques to reduce DoS and DDoS attacks, which shall be referred together as DoS attacks, by implementing mitigating equipment that can evaluate a packet and determine if the packet is malicious or invalid. This mitigating equipment is dedicated to business either by being configured by a service provider or purchased directly by the business.
The mitigating equipment is usually loaded with configuration information for the business/customer that needs the protection. Since the mitigating equipment can process (or evaluate) packets in the gigabyte range, an implementer has to determine how many mitigating equipments are needed for a particular customer. This involves a guessing game since it is difficult to estimate the volume of malicious or invalid packets that may be directed towards the customer when a DoS attack occurs. Once the configuration information is loaded into the mitigating equipment and installed in the packet network, it must be monitored to insure that the customer has sufficient protection. If changes are needed, they must be made manually to the mitigating equipment. If the capacity of one mitigating equipment is exceeded, additional mitigating equipment must be installed or purchased for the customer.
The unfortunate aspect of the dedicated solution described above is that if a second customer experiences a DoS attack, the second customer cannot use the first customer's mitigating equipment. As discussed above, the first customer's mitigating equipment is dedicated only to the first customer with configuration information corresponding to the first customer. Another unfortunate aspect is that when the packet traffic is normal, cost is wasted by having idle mitigating equipment sitting in the packet network dedicated to one customer. With this configuration, some customers may be hesitant to take on the cost of purchasing mitigating equipment when the equipment may sit idle in the packet network for extended periods of time. However, there is a danger of the customer not having adequate protection from a potential DoS attack if they do not have the protection of mitigating equipment. Therefore, customers have a dilemma as to whether to invest significant monies into purchasing DoS protection or to take a gamble that their equipment may not incur a DoS attack.
A solution is needed to reduce malicious DoS attacks in the packet network that would allow customers or businesses to share mitigating equipment and potentially share costs associated with implementing the mitigating equipment. The solution needs to protect various customers or businesses from malicious or invalid packets whether the attack is a DoS or DDoS type.