Attacks on Internet communication networks known as a “Denial of Service” (DoS) attacks are a serious problem. Examples of some widely known DoS attacks are Teardrop, TCP SYN Flood, Smurf, Buffer Overflow etc. Each of these attacks can be mapped to one of the seven layers of the OSI model: By way of background, the “Open Systems Interconnection” protocol (OSI) comprises a seven layer model: Application (layer 7); presentation (layer 6); session (layer 5); transport (layer 4); network (layer 3); data link (layer 2); and physical (layer 1). The Teardrop attack targets the Network Layer, TCP SYN Flood and Smurf attacks target the transport Layer. Some buffer overflow attacks target higher layer protocols. In “Voice over Internet Protocol” (VoIP) systems, an attack could occur at the higher session layer utilizing vulnerabilities inside “Session Internet Protocol” (SIP), H.323, MGCP, or Megaco etc. The attack could also occur at the higher application layer. We will take SIP as an example: An attack on the session and application layers using SIP may comprise the following scenarios. SIP packets are received from an SIP entity or a group of SIP entities:                where packets are malformed; i.e., they are not formed in accordance with well known, expected and legal SIP grammar (session layer);        packets contain SIP headers or body types or parameters which are legal but which exploit a vulnerability on an end point or server to which they are directed (session layer);        SIP registrations may come from attackers which tend to steal services from legitimate subscribers or devices (application layer);        packets may simply be sent at a higher rate to exhaust either the intermediate servers or the end devices which are targeted (session layer).        
For VoIP, so-called “user agents” (UA) operating at the application layer send and receive information packets by use of the Session Internet Protocol (SIP), H.323, MGCP, Megaco etc. SIP is by far the most commonly used protocol for VoIP based communications.
Current solutions for DoS attacks implement network and/or transport layer 3/4 based solutions for VoIP and other application traffic. However, in most cases, existing layer 3/4 systems to prevent DoS attacks may not be able to thwart the attack since the attack is not “visible” at the L3/L4 level (e.g. SIP and SDP based applications operates at the session layer 5 and above). Most attacks may not show a pattern at layer 3 and 4 or may not be detectable as a packet rate based attacks. Also, the L3/L4 address may be variable while the session layer and application layer identity (like username/password) indicated hereafter as the Address-of-Record (A-O-R)) may be the same. For example, the attacker may move frequently in the network across wireless hotspots and issue the same attack from different L3/L4 domains
An attacker may also launch a multitude of rate based attacks from mobile locations. Only the application layer has the information which L3/L4 identities have been authenticated. A simple L3/L4 based solution would allow the attacker to steal scarce network resources from authenticated users. An extreme example is an E911 DoS Attack, where the attacker sends packets which look like emergency calls to the server and a Public Safety Access Point (PSAP) to inundate them with fake calls. The system may thus be unable to process valid E911 calls from a real disaster zone.
In another scenario, a legitimate user may be unaware of bugs or viruses in a software he/she downloads from the Internet. The attacker may send traffic towards another user in a P2P (peer-to-peer) session, which may crash or cause unpredictable behavior on the peer user. The downloaded software may be authentic or may have been compromised.
In the above, a situation has been described in which it is not possible to pin the attacker to a unique L3/L4 address because the attacker may be mobile.
There is another case when it is hard to pinpoint a unique association between the attacker and a L3/L4 address. For example, an attacker who hacks into a VoIP “Private Branch Exchange” (PBX) and assumes the identity of one or more users by gaining access to their user ID and password. The attacker then initiates the attack by mixing malicious calls among authentic calls. Such an attack cannot be prevented simply by a L3/L4 based solution without blocking service to the entire set of users behind that PBX (thus denying service as well). Thus previous layer 3/4 solutions can be ineffective and impractical.