Denial of Service attacks occur when an attacker attempts to make a service provided by a service provider unavailable for example by crashing the computer or network server(s) providing the service or by flooding the computer or network server(s) used to provide the service with requests.
In a distributed denial of service (DDoS) attack the attacker uses a number of different unique IP addresses typically in the thousands or tens of thousands. Ingress filtering becomes ineffective to stop the attack because the incoming traffic, e.g., requests for service are originating (or appear to be originated) from many different sources. In addition, in some attacks the attacker uses IP address spoofing which occurs when the attacker forges the IP sender addresses included in the traffic flow further complicating identifying distributed denial of service attack packets from legitimate attack packets.
In communication networks which support Session Initiation Protocol (SIP), user equipment devices (UEs) typically register with the network before they can place or receive calls. During registration a user device sends a registration request to a registration entity that registers the user device with the network. However, there are certain SIP access deployments in which public IP addresses used by Integrated Access Devices and/or Internet Protocol Private Branch Exchanges (IP-PBXs) are not know a priori. Furthermore, some of those deployments do not use SIP registration and some again may be operating behind a Network Address Translation (NAT) or Network Address and Port Translation (NAPT) device. In cases where one or more network address translation (NAT) or NAPT devices are used, with multiple instances behind the same NAT device, the source IP Address/port pair of an INVITE packet is not reliable for use in determining the correct instance placing the call. For example in some cases all SIP INVITE requests from all instances behind the same NAT or NAPT device use the same public IP Address and port information for INVITE. In such deployments, authentication is provided by the Registrar and/or Application Server challenging the SIP INVITE requests requiring the originator of the request to provide the correct response before service will be provided.
As a result, access network elements such as access Session Border Controllers that receive SIP INVITE requests in SIP INVITE authenticated deployments from unknown IP addresses are susceptible to distributed denial of service attacks as they cannot in advance determine which packets with public IP addresses are legitimate, e.g., from public IP addresses used by Integrated Access Device(s) or IP-PBXs, and which are DDOS attack packets. Furthermore, in cases in which a device behind the NAT is controlled by a malicious entity/attacker that passes the authentication test, the device controlled by the malicious entity/attacker will be able to flood the SBC and the application server.
From the above discussion, it should be appreciated that there is a need for new and/or improved communications methods, systems and apparatus for improving the protection and resilience of communications systems and apparatus against attacks such as DDOS attacks. Furthermore, there is a need new and/or improved communications methods, systems and apparatus that mitigate the effects of DDOS attacks. Additionally there is a need for new and/or improved communications methods, systems, and apparatus that provide distributed denial of service Internet Protocol packet level protection of first hop core network elements, e.g., Access Session Border Controllers, that support Integrated Access Device(s) and/or IP-PBXs operating behind NAT and/or NAT devices. Moreover, there is a need for new and/or improved methods, systems and apparatus for providing distributed denial of service attack protection for SIP INVITE authenticated deployments from unknown IP addresses.