Fast Detection of DenialofService Attacks on IP Telephony

1
Fast Detection of Denial-of-Service Attacks on IP
Telephony
Hemant Sengar, Duminda Wijesekera and Sushil
Jajodia Center for Secure Information Systems,
George Mason University And Haining
Wang Department of Computer Science, College of
William and Mary
2
Outline

• IP Telephony and Security Threats
• Flooding DoS Attacks
• Observation of Protocol Behaviors
• Design of vFDS
• Performance Evaluation
• Conclusion

3
IP Telephony

• Marriage of IP with traditional Telephony
• VoIP uses multiple protocol for call control and
  data delivery

4
SIP-based IP Telephony
5
Threats

• Device mis-configuration
• Improper usage of signaling messages
• DoS attacks (towards SIP Proxy server or SIP UAs)
• SIP UA may issue multiple simultaneous requests

VoIP telephony is plagued by known Internet
Vulnerabilities (e.g., worms, Viruses, etc.) as
well as threats specific to VoIP.
6
Our Focus

• Denial of Service Attacks due to Flooding
• TCP-based SIP entities are prone to SYN flooding
  attack
• At the application layer
• INVITE Flooding (SIP Proxy or SIP UA)
• RTP Flooding to SIP UA

7
TCP Protocol Behavior (I)
Front Range GigaPoP, November 1, 2005
8
TCP Protocol Behavior (II)
Digital Equipment Corporation, March 8, 1995
9
SIP Protocol Behavior
10
RTP Traffic Behavior
G.711 Codec (50 packets per second)
11
Observations
In spite of traffic diversity, at any instant of
time, there is strong correlation among protocol
attributes

• In RTP
• Derived Attributes

Gaps between Attributes remain relatively stable
12
Challenges
Is it possible to compare and quantify the gap
between a number of attributes (taken at a time),
observed at two different instants of time ?
Determine whether two instants of time are
similar (or dissimilar) with respect to protocol
attributes behavior
13
Detection Scheme
Hellinger Distance
P and Q (each with N attributes) are two
probability measures with and
Distance satisfies the inequality of The
distance is 0 when P Q . Disjoint P and Q shows
a maximum distance of 1.
14
Distance Measurement
15
Hellinger Distance of TCP Attributes
P is an array of normalized frequencies over the
training data set
Q is an array of normalized frequencies over the
testing data set
Distance between P and Q at the end of (n1)th
time period
16
Hellinger Distance of TCP Attributes
17
Hellinger Distance of SIP Attributes
INVITE, 200 OK, ACK and BYE
18
Hellinger distance of RTP Attributes
19
Detection Threshold Setup

• Estimation of the threshold distance is an
  instance of Jacobsons Fast algorithm for RTT
  mean and variation
• Gives a dynamic threshold

Threshold Hellinger Distance
20
Detection of SYN Flooding Attack
21
Detection of INVITE Flooding
22
Detection of RTP Flooding Attack
23
Detection Accuracy and Time

• High Detection Probability (gt 80)
• Varies between 1-2 observation periods
• Detection resolution and sensitivity
• depends upon
• Value of observation time period
• Low value is better but at the cost of
  computational resources

24
Conclusion

• vFDS utilizes Hellinger distance for online
  statistical flooding detection
• Holistic view of protocol behaviors
• Simple and efficient
• High accuracy with short detection time

25
Questions