Title: A novel design of a VoIP firewall proxy to mitigate SIP-based flooding attacks

Authors: Isaac Lee, Ray Hunt

Addresses: Department of Computer Science and Software Engineering, University of Canterbury, New Zealand. ' Department of Computer Science and Software Engineering, University of Canterbury, New Zealand

Abstract: This paper proposes a novel method to address the protection necessary to mitigate flooding attacks in VoIP networks which can produce rapid saturation of a firewall and crippling of a VoIP switch. The paper proposes a stateless firewall nonce checking mechanism as an extension to the existing (stateful) SIP digest authentication. This combination aims to form a more secure and flood-resistant authentication scheme for SIP-based VoIP systems. The proposed mechanism has been implemented on a Linux iptables firewall and the experimental results demonstrate proof-of-concept showing that by incorporating this mechanism it is possible to provide substantially improved SIP-based flooding mitigation.

Keywords: SIP; VoIP flooding attacks; Linux iptables; stateful connections; stateless connections; digest authentication; VoIP firewall proxy; internet protocol; session initiation protocol; voice over IP; VoIP networks; security threats.

DOI: 10.1504/IJIPT.2008.020470

International Journal of Internet Protocol Technology, 2008 Vol.3 No.2, pp.128 - 135

Published online: 27 Sep 2008 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article