A Novel SIP Based Distributed Reflection Denial-of-Service Attack and an Effective Defense Mechanism

• Published in: IEEE access Vol. 8; pp. 112574 - 112584
• Main Authors: Tas, I. Melih, Unsalver, Basak Gencer, Baktir, Selcuk
• Format: Journal Article
• Language: English
• Published: Piscataway IEEE 2020; The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
• Subjects: Anomalies; Computer crime; DDoS; Defense mechanisms; Denial of service attacks; Denial-of-service attack; distributed reflection denial of service attack; DoS; DRDoS; Firewalls; Internet telephony; IP networks; Protocols; reflection attack; Security management; Servers; session initiation protocol; SIP; SIP security; Spoofing; System effectiveness; voice over IP; VoIP; VoIP security
• ISSN: 2169-3536; 2169-3536
• DOI: 10.1109/ACCESS.2020.3001688

We introduce a novel SIP based attack, named as the SR-DRDoS attack, that exploits some less known SIP features by using the IP-spoofing technique, the reflection based attack logic and the DDoS attack logic. Furthermore, we develop a SIP-based DoS/DDoS attack simulator, named Mr. SIP, and use it to implement our SR-DRDoS attack. Our attack is shown to dramatically increase the CPU load of a SIP server from 0% up to 100% in only 4 minutes after the attack is initiated. Since our intelligent attack creates legitimate traffic on the SIP network by using reflection methods, it bypasses black-lists as well as IP, packet-count or session/transaction based rate limiting and automatic message generation detection systems which exist in state-of-the-art security perimeters such as firewalls, intrusion detection/prevention systems and anomaly detection systems. Moreover, we propose a novel defense mechanism that effectively mitigates our proposed DRDoS attack. Our defense mechanism is shown to successfully reduce the CPU load of a SIP server under attack from 71% down to 18% within 3 minutes after it is initiated.