Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems, George Mason University And Haining Wang Department of Computer Science, College of William and Mary

Outline IP Telephony and Security Threats Flooding DoS Attacks Related Work Observation of Protocol Behaviors Design of vFDS Performance Evaluation Conclusion

IP Telephony Marriage of IP with traditional Telephony VoIP uses multiple protocol for call control and data delivery

SIP-based IP Telephony

Threats Device mis-configuration Improper usage of signaling messages DoS attacks (towards SIP Proxy server or SIP UAs) SIP UA may issue multiple simultaneous requests VoIP telephony is plagued by known Internet Vulnerabilities (e.g., worms, Viruses, DoS attacks etc.) as well as threats specific to VoIP.

Our Focus Denial of Service Attacks due to Flooding TCP-based SIP entities are prone to SYN flooding attack At the application layer :  INVITE Flooding (SIP Proxy or SIP UA)  RTP Flooding to SIP UA

Based on Sequential Change Point Detection Scheme SYN-Dog ALAS (Application Layer Attack Sensor) TLAS (Transport Layer Attack Sensor) Observes the difference between two attributes {SYN, SYN-ACK} or {SYN, FIN} {INVITE, 200 OK} Shortcomings: 1)Does not present a holistic view of protocol behavior 2)RTP stream does not have any attribute pair Previous Work

TCP Protocol Behavior (I) Front Range GigaPoP, November 1, 2005

TCP Protocol Behavior (II) Digital Equipment Corporation, March 8, 1995

SIP Protocol Behavior

RTP Traffic Behavior G.711 Codec (50 packets per second)

Observations In spite of traffic diversity, at any instant of time, there is strong correlation among protocol attributes Gaps between Attributes remain relatively stable In RTP:  Derived Attributes :

Challenges Is it possible to compare and quantify the gap between a number of attributes (taken at a time), observed at two different instants of time ? Determine whether two instants of time are similar (or dissimilar) with respect to protocol attributes behavior

Detection Scheme Hellinger Distance Distance satisfies the inequality of The distance is 0 when P = Q. Disjoint P and Q shows a maximum distance of 1. P and Q (each with N attributes) are two probability measures with and

Distance Measurement :

Hellinger Distance of TCP Attributes P is an array of normalized frequencies over the training data set Q is an array of normalized frequencies over the testing data set Distance between P and Q at the end of (n+1)th time period

Hellinger Distance of TCP Attributes :

Hellinger Distance of SIP Attributes INVITE, 200 OK, ACK and BYE

Hellinger distance of RTP Attributes

Estimation of the threshold distance is an instance of Jacobson’s Fast algorithm for RTT mean and variation Gives a dynamic threshold Detection Threshold Setup Threshold Hellinger Distance

Detection of SYN Flooding Attack

Detection of INVITE Flooding

Detection of RTP Flooding Attack

Detection Accuracy and Time High Detection Probability (> 80%) Varies between 1-2 observation periods Detection resolution and sensitivity depends upon Value of observation time period Low value is better but at the cost of computational resources

Conclusion vFDS utilizes Hellinger distance for online statistical flooding detection Holistic view of protocol behaviors Simple and efficient High accuracy with short detection time

Questions