Detection of DoS Attacks on SIP Systems

1. Introduction

VoIP (Voice over IP) services have gained huge popularity in today’s world due to its robust quality of service and competitive prices as compared to the traditional PSTN. Due to the overwhelming demand and vast applications of VoIP services, attacks on the same should not be considered as a surprise. Denial of Service (DoS) attacks are the most common attacks performed on Session Initiation Protocol (SIP) systems due to any loop holes present in the systems that will be discussed in this report.

SIP is the protocol to provide VoIP services from the service providers to the customers. Generally, DoS attacks target the web servers of service providers and deprive them of bandwidth and flood the system with illegitimate packets which may cause congestion and therefore denial of service to the customers. The other term used frequently is Distributed DoS (DDoS) attacks in which attacks are performed on multiple network hosts thereby increasing the effect of such attacks on a greater magnitude.

2. Security Issues addressed in the paper

    1. Attacks on SIP systems

    2. Proposed detection technique

3. Core ideas of the paper

3.1 DoS Attacks on SIP Systems

Threats exist on SIP systems since SIP provides an open entity to its user via the public Internet due to which they are vulnerable to frequent attacks [1]. Different types of attacks are discussed in the following and the way each one is carried out in order to degrade the system and create threats to the service providers and customers using it.

3.1.1 Legitimate Message Flooding

In this type of an attack, the attacker must be logged in with a legitimate account in the SIP server. The attacker may then continuously send requests at the target (where the attack is intended), which may flood the system and result into congestion. This congestion leads to denial of service to other customers who wish to access the server in order to use the VoIP application via the SIP server [1]. This attack is not carried very frequently because it is very easy to track the attacker’s position by tracing the IP address of the attacker as shown in the records of the database. An example of such an attack is continuous VoIP calls.

3.1.2 Invalid Message Flooding

Flooding may also be caused by sending invalid requests at the target in order to crash or deprive the system of its resources. The attacker is not required to be authenticated by the SIP server to carry out such an attack. Invalid call setup requests is an example of such attacks.

3.1.3 Distributed Reflection DoS (DRDoS)

In DODoS, spoofed requests are sent to multiple computers and the source address IP address will be directed to the targeted victim’s computer, by which all the responses will be received by the targeted victim/host. The receiving nodes or springboard nodes would correspondingly respond to the target host if false requests are sent to multiple SIP network nodes on the Internet [1]. If these invalid requests are ignored by the target host, then the springboard/receiving nodes will retransmit the packets, thereby increasing the traffic numerously at the target’s end which may also result in the interruption of services [1].

3.1.4 Malformed Messages

Not all systems may be perfect. Any flaws or loop holes within the SIP systems would result in the opportunity of DoS attacks on them that may target certain implementations or products [1]. This type of attack can be prevented by solving the matters vulnerable to the systems by software upgrades or implementations once they are notified or observed in the system [1].

3.1.5 Spoofed Messages

Spoofed messages may be sent to the customers that may totally give an opposite understanding from the actual message by hijacking into the media session when two or more customers or participants are under conversation [1]. For example, sending a spoofed “Goodbye” message to any one of the participants under an active call by hijacking into the session creates an opposite impression and the call may be interrupted by the other participant in the same conversation.

3.2 Proposed Detection Technique

3.2.1 SIP Transaction layer

The technique proposed in the paper [1], utilizes the SIP Transaction layer for detecting DoS attacks on the system. The SIP transaction layer lies between the transport layer and application layer. It is responsible for acknowledgements and retransmission of messages [1]. Two types of transactions take place in the SIP transaction layer, namely, Client Transaction (CT) and Server Transaction (ST). CT is created from the sender’s end (a caller sending a request) and ST is created at the receiver’s end (a callee receiving a request) [1]. Each of the mentioned transactions are handled in two ways, i.e., Invite or Non- invite, depending upon the method of request.

3.2.2 Detecting Transaction Anomalies

A Finite State Machine (FSM) is prepared to explain the proposed detection technique.

Fig. 1 shows the detection logic using the FSM technique to detect DoS attacks on the SIP servers. When a SIP message arrives, a check must be made whether it belongs to the existing session or not. If the SIP message or packet arrived is new, then a new entry is created in the table which is stored in the database provided it contains a request. If the SIP message belongs to an existing session, then the table is updated and checked for any errors. If an error occurs such that a packet with an unknown session ID is received, then the internal error counter is incremented and recorded into the system.

All the incoming and outgoing packets must be monitored constantly. Both the incoming and outgoing messages are always considered as different inputs even if the contents in both messages are identical. A timer is also set accordingly during this process. In case of any error or an unexpected message, the counter is incremented. The FSM also consists of a terminated stage, when reached, the entry of the message in the table is destroyed [1].

This overall process allows detecting the anomalies and speculating protocol errors that are present inside the SIP transaction [1].

Another detection technique is proposed considering the threshold parameters, namely, upper bounds on number of allowed transactions per second, SIP application error per second, transactions per node, packet rate per transaction (in pps). If the threshold values for each or any of the mentioned attributes are met, then an alarm is raised thereby notifying about DoS attacks.

4. Potential Applications

Ø Service Providers for VoIP services. For example, Google (Google talk), Skype, VoIP raider etc.

Ø Department of Defense to prevent any leaks due to attacks.

5. Conclusion

DoS attacks were detected by counting the number of anomalies or occurrences in the proposed detection methods. Also different types of attacks or threats to the SIP systems gave a broad perspective about the safety measures to be taken to avoid such DoS attacks. It is important for the service providers to take these points into consideration in order to provide efficient services to their customers so as to gain more popularity and business.


Ø Legitimate Message Flooding, Invalid Message Flooding, Distributed Reflection DoS (DRDoS), Malformed Messages and Spoofed Messages are different types of DoS attacks performed on SIP systems.

Ø The proposed detection techniques detect the DoS attacks by counting the number of anomalies or occurrences and observing the threshold parameters.

Ø All the incoming and outgoing packets must be monitored closely and distinctly, such that incoming and outgoing messages having same information must be counted differently.


[1] “Detecting DoS attacks on SIP systems”, Chen, E.Y.;

VoIP Management and Security, 2006. 1st IEEE Workshop on

Digital Object Identifier: 10.1109/VOIPMS.2006.1638123

Publication Year: 2006