SESSION INITIATION PROTOCOL (SIP) is an emerging standard to facilitate voice over packet (VoP) technologies. VoP is a process of sending voice or video signals over the Internet or other communications networks, such as intranets. If the telephone signal is in analog form (voice or fax), the signal is first converted to a digital form. Packet-routing information is then added to the digital voice signal so the voice signal can be routed through the Internet or other data networks. Moreover, SIP can be used in instant-messaging (IM) or other real-time collaboration applications and in “presence” applications, such as “buddy lists.”
SIP may work in concert with other protocols and is involved in the signaling portion of a communication session. SIP acts as the carrier for Session Description Protocol (SDP), which describes the media content of a session. SDP describes, for example, what IP ports to use and the codec being used during a particular session. In typical use, SIP sessions are control sessions for packet streams of Realtime Transport Protocol (RTP). RTP is the carrier for the actual voice or video content in itself.
SIP-compliant services are still immature in many ways. As a result, the tools and techniques that have been developed over the years to secure and protect many other IP based services have not yet become available to SIP-compliant services. So while SIP-compliant services inherit many of the vulnerabilities of being an IP based service, few protections afforded other IP based services are enjoyed. One issue that is not adequately addressed within the art concerns denial of service attacks (DOS). One exemplary DOS attack utilizes a hostile machine creating forged (spoofed) messages that appear to originate from legitimate senders. The hostile machine sends the spoofed messages to a targeted destination. With a sufficiently large number of spoofed messages, the target's phone (or data) services become clogged and rendered inoperable. Although the SIP standard does specify a method for authenticating messages, the built-in authentication mechanisms are not generally used because they are costly in terms of processing power required and can cause additional problems such as increased call set up times.
A successful DOS attack may result in crashing a particular SIP element. When dealing with a phone, the phone may no longer accepts user input and no longer be unusable. Furthermore, the SIP element may enter a reboot cycle as a result of the DOS attack and/or the element may require manual intervention to bring the element back online. Successful DOS attacks may also result in the inability of the element to process additional calls since the element is flooded with malicious SIP messages and cannot process valid messages. Thus, the DOS attack makes service unavailable to legitimate users, who will typically experience a busy signal or “dead air.” Finally, a successful DOS attack often results in degradation in the voice quality of the service. This degradation is due, in part, to a decrease in available band-width and processor resources. Voice quality can be measured by a Mean Opinion Score (MOS) and typical DOS attacks may result in a decreased MOS from acceptable to unacceptable, where 2.5 is considered the minimum acceptable MOS.