Detecting Denial of Service Message Flooding Attacks in SIP based Services

Document Type : Research Article


1 Zoha Asgharian graduated from computer engineering school of Iran University of Science and Technology, Tehran, Iran (email:

2 Corresponding Author, Hassan Asgharian is PhD student in computer engineering school of Iran University of Science and Technology, Tehran, Iran (email:

3 Ahmad Akbari is an associate professor in the computer engineering school of Iran University of Science and Technology, Tehran, Iran (email:

4 Bijan Raahemi is with University of Ottawa, Canada (email:


Increasing the popularity of SIP based services (VoIP, IPTV, IMS infrastructure) lead to concerns about its ‎security. The main signaling protocol of next generation networks and VoIP systems is Session Initiation Protocol ‎‎(SIP). Inherent vulnerabilities of SIP, misconfiguration of its related components and also its implementation ‎deficiencies cause some security concerns in SIP based infrastructures. New attacks are developed that target ‎directly the underlying SIP protocol in these related SIP setups. To detect such kinds of attacks we combined ‎anomaly-based and specification-based intrusion detection techniques. We took advantages of the SIP state machine ‎concept (according to RFC 3261) in our proposed solution. We also built and configured a real test-bed for SIP ‎based services to generate normal and assumed attack traffics. We validated and evaluated our intrusion detection ‎system with the dump traffic of this real test-bed and we also used another specific available dataset to have a more ‎comprehensive evaluation. The experimental results show that our approach is effective in classifying normal and ‎anomaly traffic in different situations. The Receiver Operating Characteristic (ROC) analysis is applied on final ‎extracted results to select the working point of our system (set related thresholds). ‎


[1]     J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Spark, M. Handley, and E. Schooler. Session Initiation Protocol”, 2002. RFC 3261.
[2]     A. Ahson, M. Ilyas. “SIP Handbook”, Taylor & Francis Group, 2009.
[3]     S. Ehlert, D. Geneiatakis, T. Magedanz. “Survey of network security systems to counter SIP-based denial-of-service attacks”, Elsevier, 2009.
[4]     D. Sisalem, J. Floroiu, J. Kuthan, U. Abend, H. Schulzrinne. “SIP Security”, John Wiley and Sons, 2009.
[5]     C. EY. “Detecting DoS attacks on SIP systems”, 1st IEEE workshop on VoIP management and security, 2006.
[6]     S. Ehlert, C. Wang. T. Magedanz, D. Sisalem. “Specification-based denial-of-service detection for SIP Voice-over-IP networks”, Third international conference on internet monitoring andprotection, 2008.
[7]     W. YS, S. Bagchi, S. Garg, N. Singh, T. Tsai. “SCIDIVE: a stateful andcross protocol intrusion detection architecture for Voice-over-IP environments”, International conference on dependable systems and networks, 2004.
[8]     A. Lahmadi, O. Festor. “SecSip: A Stateful Firewall for SIP-based Networks”, 11th IFIP/IEEE International Symposium on Integrated Network Management, 2009.
[9]     J. Fiedler, T. Kupka, S. Ehlert, T. Magedanz, D. Sisalem. “VoIP Defender: Highly scalable SIP-based security architecture”, Proceeding of International Conferenceon Principles, Systems and Applications of IP Telecommunications, pp. 11–17, 2007.
[10]   H. Zhang, Z. Gu, C. Liu, T. Jie. “Detecting VoIP-specific Denial-of-Service Using Change-Point Method”, 11th International Conference on Advanced Communication Technology, pp. 1059-1064, 2009.
[11]   D. Geneiatakis, N. Vrakas, C. Lambrinoudakis. “Utilizing bloom filters for detecting flooding attacks against SIP based services”, Elsevier Journal of Computers & Security, pp. 578–591, 2009.
[12]   M. Ali Akbar, Z. Tariq, M. Farooq, A Comparative Study of Anomaly Detection Algorithms for Detection of SIP Flooding in IMS”, 2nd International Conference on Internet Multimedia Services Architecture and Applications, pp. 1-6, 2008.
[13]   A. Karim Ganame, J. Bourgeois, R. Bidou, F. Spies, “A Global Security Architecture for Intrusion Detection on Computer Networks”, IEEE International Symposium on Parallel and Distributed Processing, pp. 1-8, 2007.
[14]   R. Sekar et al. “Specification-based anomaly detection: a new approach for detecting network intrusions”, in Proceedings of the 9th ACM conference on Computer and communications security, pp. 265-274, 2002.
[17]   Iran University of Science and Technology, Research Center of Information Technology, Network Research Group, SIP security page:
[18]   Z. Asgharian, H. Asgharian, A. Akbari, B. Raahemi, "A framework for SIP intrusion detection and response systems," International Symposium on Computer Networks and Distributed Systems, pp.100-105, 2011.
[19]   Z. Asgharian, H. Asgharian, A. Akbari, B. Raahemi, “Detecting Denial of Service Attacks on SIP Based Services and Proposing Solutions.” In Kabiri, P. (Ed.), Privacy, Intrusion Detection and Response: Technologies for Protecting Networks. (pp. 145-167). doi:10.4018/978-1-60960-836-1.ch006
[20]   OPENSIPS, open source SIP proxy,
[21]   M. Nassar, R. State, O. Festor, "Labeled VoIP data-set for intrusion detection evaluation”, Proceedings of the 16th  EUNICE/IFIP WG 6.6 conference on Networked services and applications: engineering, control and management, pp. 97-106, 2010.
[22]   M. Nassar, R. State, O. Festor, "Monitoring SIP Traffic Using Support Vector Machines”,  Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, pp. 311-330, 2008.
[23]   S. Ehlert, G. Zhang, D. Geneiatakis, G. Kambourakis, T. Dagiuklas, J. Markl, D. Sisalem, “Two Layer Denial of Service Prevention on SIP VoIP Infrastructures”, Computer Communications, pp. 2443–2456, 2008.
[24]   Angelos D. Keromytis, “Voice over IP Security”, Springer, DOI 10.1007/978-1-4419-9866-8, 2011.
[25]   G. Ormazabal, S. Nagpal, E. Yardeni, H. Schulzrinne, “Secure SIP: A Scalable Prevention Mechanism for DoS ‎Attacks on SIP Based VoIP Systems”, Proceedings of the 2nd International Conference on Principles, Systems and ‎Applications of IP Telecommunications, pp. 107–132, 2008‎.