SIP 프락시 서버에서 전화벨 기반 서비스 거부 공격을 탐지하는 방법

Abstract

VoIP technology is continuing to emerge as a feasible option to replace traditional telephone systems that use the PSTN (Public Switched Telephone Network). In the future, when All-IP networks are deployed in a large scale, VoIP will eventually substitute the classical PSTN. In comparison to PSTN-based systems, VoIP allows packet-switched data networks to be utilized for telephony and is more easily integrated with Internet-based services, such as e-mail or Web browsing. While VoIP promises both low cost and a variety of advanced services, it may entail security vulnerabilities. Unlike PSTN, intelligence is placed at the edge and the security measures are not incorporated into the network. Among many security threats, we will focus on the Denial-of-Service (DoS) attack. Being a real-time service, VoIP is more susceptible to DoS attacks than regular Internet services, which pose serious threats to IP telephony infrastructures. They deteriorate the perceived QoS and even cripple down the devices in the path from caller to callee. Since VoIP continues to play a larger role in our global telecommunications, protecting infrastructures of VoIP from disruptive DoS attacks will be critically important to people’s everyday lives. Especially, in VoIP deployments that use SIP for call signaling, ensuring the availability of main components such as SIP proxy servers under attack should be a high priority. In this paper, we propose a detection method of the VoIP-specific DoS attack which exploits the semantics of the SIP. This attack is named the ringing-based DoS attack and performed by users who do not pick up incoming calls for an unusually long amount of time to exhaust resource at a SIP stateful proxy server. A noticeable feature of this attack is that it does not result in high incoming call traffic rates, unlike common flooding-based DoS attacks. Consequently, the ringing-based DoS attack could not be detected using previous solutions designed for flooding-based DoS attacks. To detect this attack, first we model the normal traffic of legitimate users with the gamma distribution on the assumption that the distribution of ringing time does not change rapidly. To quantify the discrepancy between the modeled normal traffic and the attack traffic, we use Pearson’s chi-square statistic. Simulation results show that the proposed detection system can detect the ringing-based DoS attacks.