A Novel SIP Based Distributed Reflection Denial-of-Service Attack and an Effective Defense Mechanism

Abstract

We introduce a novel SIP based attack, named as the SR-DRDoS attack, that exploits some less known SIP features by using the IP-spoofing technique, the reflection based attack logic and the DDoS attack logic. Furthermore, we develop a SIP-based DoS/DDoS attack simulator, named Mr. SIP, and use it to implement our SR-DRDoS attack. Our attack is shown to dramatically increase the CPU load of a SIP server from 0% up to 100% in only 4 minutes after the attack is initiated. Since our intelligent attack creates legitimate traffic on the SIP network by using reflection methods, it bypasses black-lists as well as IP, packet-count or session/transaction based rate limiting and automatic message generation detection systems which exist in state-of-the-art security perimeters such as firewalls, intrusion detection/prevention systems and anomaly detection systems. Moreover, we propose a novel defense mechanism that effectively mitigates our proposed DRDoS attack. Our defense mechanism is shown to successfully reduce the CPU load of a SIP server under attack from 71% down to 18% within 3 minutes after it is initiated.