Network devices are designed to interoperate with each other in networks to carry services. For audio, video, or instant messaging, the session initiation protocol (SIP) may be used. SIP is a communications protocol. SIP is standardized in RFC 3261 and defines the messages that are sent between peers to govern establishment, termination, and other essential elements of a call. SIP is used for creating, modifying, and terminating two-party or multiparty sessions.
For SIP in a network, SIP Application Layer Gateway (ALG) becomes an indispensable function of edge routers or firewall devices. These gateway devices may modify SIP messages in order for messages to penetrate behind network address translation (NAT), open pinholes on behalf of a firewall for the SIP traffic, proxy, or perform other gateway functions. To fulfill the functionalities, SIP ALG maintains some application information for each SIP session, which makes SIP ALG a possible target of denial-of-service (DoS) or distributed DoS (DDoS) attacks.
In DoS or DDoS, many SIP messages are sent in an attempt to overburden the SIP ALG or a SIP server. Considering that SIP ALG is located in the transit network, the attack volume may be much larger then that targeted at a single SIP server. Besides being able to handle attack traffic effectively, the DoS/DDoS countermeasures on SIP ALG should be as simple as possible in order not to significantly degrade performance.
Most SIP ALG implementations borrow ideas from SIP servers in order to counter DoS/DDoS attacks. SIP requests sent to a specific SIP server may be rate limited, such as with a leaky bucket algorithm. Negative response from a SIP server may be counted. Once a limit is reached, any SIP request to the SIP server is discarded. While these implementations are suitable for SIP servers, the implementations may not work well for SIP ALG. The rates for leaky bucket or negative response may vary by SIP server and the SIP ALG may not have the appropriate information to choose a suitable upper limit for the traffic throttling.