skip to main content
10.1145/1326304.1326314acmconferencesArticle/Chapter ViewAbstractPublication PagesiptcommConference Proceedingsconference-collections
research-article

Denial of service attack and prevention on SIP VoIP infrastructures using DNS flooding

Published: 19 July 2007 Publication History

Abstract

A simple yet effective Denial of Service (DoS) attack on SIP servers is to flood the server with requests addressed at irresolvable domain names. In this paper we evaluate different possibilities to mitigate these effects and show that over-provisioning is not sufficient to handle such attacks. As a more effective approach we present a solution called the DNS Attack Detection and Prevention (DADP) scheme based on the usage of a non-blocking DNS cache. Based on various measurement conducted over the Internet we investigate the efficiency of the DADP scheme and compare its performance with different caching strategies applied.

References

[1]
J. Mirkovic, S. Dietrich, D. Dittrich, and P. Reiher, "Internet Denial of Service: Attack and Defense Mechanisms", Prentice Hall, USA, 2004.
[2]
L. Gordon et al., "CSI/FBI Computer Crime and Security Survey", Computer Security Inst., 2004.
[3]
F. Cao and S. Malik, "Security Analysis and Solutions for Deploying IP Telephony in the Critical Infrastructure", Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks, 2005.
[4]
D. Sisalem, J. Kuthan and S. Ehlert, "Denial of Service Attacks Targeting a SIP VoIP Infrastructure: Attack Scenarios and Prevention Mechanisms", IEEE Network Vol. 20, No. 5 - Special Issue on Securing VoIP, Sep. 2006.
[5]
D. R. Kuhn, T. J. Walsh and S. Fries, "Security Considerations for Voice over IP Systems", Recommendations of the National Institute of Standards and Technology, January 2005.
[6]
A. Johnston, D. Piscitello, "Understanding VoIP Security", Artech House.
[7]
D. Geneiatakis, G. Kambourakis, T. Dagiuklas, C. Lambrinoudakis and S. Gritzalis, "A Framework for Detecting Malformed Messages in SIP Networks", 14th IEEE Workshop on Local and Metropolitan Area Networks (LANMAN 2005), 2005.
[8]
Eric Y. Chen, "Detecting DoS Attacks on SIP System", 1st IEEE Workshop on VoIP Management and Security, 2006, April 2006.
[9]
H. Sengar, D. Wijesekera, H. Wang and S. Jajodia, "Fast Detection of Denial of Service Attacks on IP Telephone", Proceedings of IEEE IWQoS'2006, New Haven, CT, June 2006.
[10]
M. Nassar, R. State, O. Festor, "Intrusion Detection Mechanisms for VoIP Applications", 3rd Annual VoIP Security Workshop, Jun 2006, Berlin, Germany.
[11]
CERT, "Denial of Service Attacks using Nameservers", 2000. http://www.cert.org/incident_notes/IN-2000-04.html.
[12]
F. Guo, J. Chen, T. Chiueh, "Spoof Detection for Preventing DoS Attacks against DNS servers", 26th IEEE International Conference on Distributed Computing Systems, 2006
[13]
J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, R. Spark, M. Handley, E. Schooler, "RFC 3261: SIP--Session Initiation Protocol", 2002.
[14]
R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee, "RFC 2616: Hypertext Transfer Protocol--HTTP/1.1", 1999.
[15]
G. Camarillo, M.-A. García-Martín "The 3GIP Multimedia Subsystem (IMS): Merging the Internet and the Cellular Worlds", John Wiley & Sons, 2006.
[16]
P. V. Mockapetris, "RFC 1034: Domain Names--Concepts and Facilities," Nov. 1987.
[17]
P. V. Mockapetris, "RFC 1035: Domain Names--Implementation and Specification," Nov. 1987.
[18]
J. Rosenberg, H. Schulzrinne, "RFC 3063: SIP--Locating SIP Servers", June 2002.
[19]
J. Peterson, H. Liu, J. Yu and B. Campbell, "RFC 3824: Using E.164 Numbers with the Session Initiation Protocol (SIP)", 2004.
[20]
A. Gulbrandsen, P. Vixie and L. Esibov, "RFC 2782: A DNS RR for Specifying the Location of Services (DNS SRV)", Feb 2000.
[21]
J. Jung, E. Sit, H. Balakrishnan and R. Morris, "DNS Performance and the Effectiveness of Caching", IEEE/ACM Transactions on Networking (TON), Jan. 2002.
[22]
V. Pappas, Z. Xu, S. Lu, D. Massey, A. Terzis and L. Zhang, "Impact of Configuration Errors on DNS Robustness", SIGCOMM'04 Workshop, Sep. 2004, Portland, Oregon, USA.
[23]
Berkeley Internet Name Domain (BIND), Open source DNS server, http://www.isc.org.
[24]
SIP Express Router, Open source SIP proxy, http://www.iptel.org/ser.
[25]
SIPp, SIP traffic generator, http://sipp.sourceforge.net.
[26]
A. Hussain, J. Heidemann and C. Papadopoulos, "A Framework for Classifying Denial of Service Attacks", Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, 2003
[27]
D. Sisalem, S. Ehlert et al. "General Reliability and Security Framework for VoIP Infrastructures" Technical Report SNOCER-D2.2, Sep 2005, www.snocer.org.
[28]
A. Silberschatz and P. B. Galvin, Operating Systems Concepts, fourth ed. Reading, Addison-Wesley, 1994.
[29]
C. Aggarwal, J. Wolf, and P. Yu, "Caching on the World Wide Web", IEEE Transactions on Knowledge and Data Engineering, Vol. 11, No. 1, Jan 1999.
[30]
U. Chejaral, H.-K. Chail, and H. Chol, "Performance Comparison of Different Cache-Replacement Policies for Video Distribution in CDN", 7th IEEE International Conference on High Speed Networks and Multimedia Communications, Toulouse, France, 2004.
[31]
Tom Olzak, "DNS cache poisoning", Whitepaper, http://www.infosecwriters.com/text_resources/pdf/DNS_Tolzak.pdf.

Cited By

View all

Recommendations

Reviews

Vijay K Gurbani

A session initiation protocol (SIP) proxy sends requests toward other SIP servers by querying domain name system (DNS) entries that correspond to the uniform resource identifier (URI) present in an incoming request. Thus, a relatively easy way to attack a proxy would be to send it a storm of requests with bogus URIs. The processing capacity of the proxy will then be a function of how it services each DNS lookup (synchronously or asynchronously). The latter allows it to process more SIP requests per given time unit; however, until the DNS lookup succeeds (or returns a failure response), the relative throughput of the proxy will stagnate and decrease, while the processing time will increase due to multiple requests queueing up. This paper investigates the effects of DNS flooding attacks on a SIP proxy. The paper suggests using a scheme called the DNS attack detection and prevention scheme (DADP), which basically relocates the DNS cache to a part of the SIP proxy. A cache of about 270 entries is maintained by a SIP proxy, and is consulted prior to a DNS lookup. (The authors experimentally show that increasing the cache count to hold more than 270 entries does not result in further performance gains.) This cache contains more-than-normal DNS A/AAAA resource records (RRs); it also contains service location (SRV) and naming authority pointer (NAPTR) RRs that SIP uses to locate servers. (When a SIP proxy locates a server, it does at least three DNS lookups: a NAPTR query, a SRV query, and a A/AAAA query.) While some of the RRs returned may contain information in the additional record section, this is not always the case; further lookups may be needed to resolve the Internet protocol (IP) addresses corresponding to an SRV name. Thus, performance is enhanced due to localized caching. A DADP scheme is also provided with a threshold that, when hit, causes the proxy to only consult the cache and not do any DNS queries until the threshold value decreases. The proxy is able to continue normal operations under a sustained DNS attack by relying exclusively on the cache contents, thereby allowing the proxy to serve running sessions and new sessions destined for servers whose information already exists in the cache. The DADP scheme appears to be responsive to DNS-based denial of service (DoS) attacks on a SIP proxy. The experimental data provided by the author argues convincingly for its implementation to make SIP proxies resilient against such attacks. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
IPTComm '07: Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications
July 2007
107 pages
ISBN:9781605580067
DOI:10.1145/1326304
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 July 2007

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. DNS
  2. DoS
  3. SIP
  4. VoIP
  5. denial-of-service
  6. prevention

Qualifiers

  • Research-article

Conference

IPTComm07
Sponsor:

Acceptance Rates

Overall Acceptance Rate 18 of 62 submissions, 29%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)26
  • Downloads (Last 6 weeks)3
Reflects downloads up to 21 Dec 2024

Other Metrics

Citations

Cited By

View all

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media