One type of communication network gaining popularity is an IP Multimedia Subsystem (IMS) network. As set forth in the 3rd Generation Partnership Project (3GPP) or 3GPP2, IMS provides a common core network having access-agnostic network architecture for converged networks. Service providers are using this architecture in next-generation network evolution to provide multimedia services to mobile users (and also fixed access users). IMS uses IP (Internet Protocol), and more specifically uses Session Initiation Protocol (SIP) as the call control protocol. As the deployments of IMS networks proliferate, there is a need to secure the IMS infrastructure (“IMS core”) against SIP-based attacks. One way to do so is through a SIP firewall, which is loosely defined as a device that blocks attacks mounted through SIP messages.
The most difficult attacks that the SIP firewall must deal with are Distributed Denial of Service (DDoS) attacks, consisting for example in massively flooding the SIP firewall with correctly formatted and SIP-compliant registration requests coming from a very large number of sources in attempt to overload the network. The access border is the most vulnerable because the access network can be partly or fully public, and the number of fixed or mobile users connecting to the access border can be extremely large, which makes “per subscriber” security rules impractical. To complicate the matter, subscribers (or hackers) can connect via SIP proxies, or from a PBX, making IP source-based rejection rules ineffective. Advantageously, the firewall should stop the flooding to protect the next node (called a protected node) but on the other hand, the firewall must not close the door to initial registrations from legitimate users, otherwise the DDoS attack will have succeeded. It is a complex problem because in an IMS network, the firewall has no way to distinguish between “good” registrations (i.e., from legitimate users) and “bad” registrations (i.e., associated with a DDoS attack) since only the next protected node can perform authentication.