Title: A novel design of a VoIP firewall proxy to mitigate SIP-based flooding attacks
Authors: Isaac Lee, Ray Hunt
Addresses: Department of Computer Science and Software Engineering, University of Canterbury, New Zealand. ' Department of Computer Science and Software Engineering, University of Canterbury, New Zealand
Abstract: This paper proposes a novel method to address the protection necessary to mitigate flooding attacks in VoIP networks which can produce rapid saturation of a firewall and crippling of a VoIP switch. The paper proposes a stateless firewall nonce checking mechanism as an extension to the existing (stateful) SIP digest authentication. This combination aims to form a more secure and flood-resistant authentication scheme for SIP-based VoIP systems. The proposed mechanism has been implemented on a Linux iptables firewall and the experimental results demonstrate proof-of-concept showing that by incorporating this mechanism it is possible to provide substantially improved SIP-based flooding mitigation.
Keywords: SIP; VoIP flooding attacks; Linux iptables; stateful connections; stateless connections; digest authentication; VoIP firewall proxy; internet protocol; session initiation protocol; voice over IP; VoIP networks; security threats.
DOI: 10.1504/IJIPT.2008.020470
International Journal of Internet Protocol Technology, 2008 Vol.3 No.2, pp.128 - 135
Published online: 27 Sep 2008 *
Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article