Voice over packet (VOP) is a process of sending voice or video signals over the Internet or other communications networks, such as intranets. If the telephone signal is in analog form (voice or fax), the signal is first converted to a digital form. Packet-routing information is then added to the digital voice signal so the voice signal can be routed through the Internet or other data networks.
Realtime Transport Protocol (RTP) is a protocol implemented to carry content in a packet network. The content may be audio, video, or other media in packet form. RTP packets move across the packet network in data streams from one endpoint to another. These RTP streams contain timestamp and sequence number fields in each RTP packet. Each RTP packet may be uniquely identified by a timestamp and sequence number. As an RTP stream progress, the timestamp and sequence number fields in each RTP packet typically increment in a predictable pattern. Several things may influence the predictable pattern including, but not limited to, the type of codec in use.
One of the drawbacks to RTP is that it allows flexibility in determining what is an acceptable RTP packet based on its timestamp and sequence number fields. Variations in the timestamp and sequence number fields are allowed in RTP which may lead to invalid packets being allowed in the packet network.
One issue that is not adequately addressed within the art concerns denial of service (DOS). One exemplary DOS attack utilizes a hostile machine creating forged (spoofed) messages that appear to originate from legitimate senders. The hostile machine sends the spoofed messages to a targeted destination. With a sufficiently large number of spoofed messages, the target's phone (or data) services become clogged and rendered inoperable. RTP streams are currently not validated or policed beyond simple checks.
A successful DOS attack may result in crashing a particular element. When dealing with a phone, the phone may no longer accept user input and no longer be unusable. Furthermore, the element may enter a reboot cycle as a result of the DOS attack and/or the element may require manual intervention to bring the element back online. Successful DOS attacks may also result in the inability of the element to process additional calls since the element is flooded with malicious messages and cannot process valid messages. Thus, the DOS attack makes service unavailable to legitimate users, who will typically experience a busy signal or “dead air.” Finally, a successful DOS attack often results in degradation in the voice quality of the service. This degradation is due, in part, to a decrease in available band-width and processor resources. Voice quality can be measured by a Mean Opinion Score (MOS) and typical DOS attacks may result in a decreased MOS from acceptable to unacceptable, where 2.5 is considered the minimum acceptable MOS.
A solution is needed to reduce malicious DOS attacks in a packet network. The solution needs to detect the presence of malicious packets, and remove them or reduce their impact.