Session Initiation Protocol (SIP) is an application-layer control (i.e., signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions may include Internet-based telephone calls, multimedia distribution, multimedia conferences, instant messaging conferences, interactive voice response (IVR), automated and manual operator services, automatic call distribution, call routing, etc. SIP invitations or INVITES may be used to create sessions and may carry session descriptions that allow participants to agree on a set of compatible media types. SIP may use proxy servers to help route requests to a user's current location, authenticate and authorize users for services, implement provider call-routing policies, and/or provide other features to users. SIP may also provide a registration function that allows users to upload their current locations for use by proxy servers.
Denial of Service (DoS) attacks may be characterized by explicit attempts of attackers to prevent legitimate users from using a service. DoS attacks continue to be the main threat facing network operators. As telephony services move to IP (Internet Protocol) networks, Voice over IP (VoIP) infrastructure components and end devices, may become attractive DoS attack targets. For example, carriers have begun a program for the delivery of advanced voice and data services over IP that implements security measures in order to protect both the service providing the network assets, as well as the customer networks from service disruption. As service providers develop value added revenue sources based on IP application services, the open nature of the IP infrastructure may put those revenue sources at risk. VoIP is the first, and most prominent of these IP application services. Availability means that the service is there when desired. With voice traveling over an Internet-based network (VoIP), issues such as DoS and distributed DoS attacks represent a significant threat to the availability of the services. DoS may be attempts to disable the functionality of a target, as opposed to gaining operational control of the target. As such, DoS attacks may be more difficult to defend against than traditional invasive exploits. There are already known SIP-based signaling attacks against VoIP, and the protocol itself may be vulnerable to software exploits and persistent protocol transactions that degrade its performance.
There may be three basic types of DoS attacks that might occur over a VoIP network: (1) exploiting implementation flaws (e.g., ping-of-death attack, invalid call setup messages, invalid media, malformed signaling, etc.); (2) exploiting application level vulnerability (e.g., registration hijacking, call hijacking, modify media sessions, session teardown, amplification attacks, media stream attacks, etc.); and (3) flooding (e.g., SIP channel flooding, RTP channel flooding, etc.). These attacks may target a VoIP component, such as a SIP proxy, or a supporting server, such as a Domain Name System (DNS) server, a Directory server, or a Dynamic Host Configuration Protocol (DHCP) server. A DoS attack against a supporting server could affect the VoIP service in different ways. For example, an attack against a certain domain's DNS server could deny VoIP calls destined to users in that domain. Another example could be an attack against a Directory Service, which is used by a SIP proxy server to store address-of-record to UA mappings, and could result in Denial-of-Service to the UAs that registers to this proxy.