Detection of DDoS Attack in SIP Environment with Non-parametric CUSUM Sensor

Detection of DDoS Attack in SIP Environment

with Non-parametric CUSUM Sensor

Luigi Alcuri

University of Palermo

Department of Electrical, Electronic and

Telecommunication Engineering

[email protected]

Pietro Cassarà

University of Palermo

Department of Electrical, Electronic and

Telecommunication Engineering

[email protected]

Abstract

Modern all-IP networks, which transfer telephony, multimedia and data use mainly as signalling protocol the Session Initiation Protocol (SIP). These networks are exposed to various types of attacks, and among them, a DDoS attack can result particularly dangerous, because it can be directed against the SIP signalling system. This situation arises from the circumstance that a SIP system cannot be entirely protected against an attack of this type, but a shield can be implemented only after the detection of an attack. Hence, it is important to implement a fast and reliable method for the detection of an attack.

In this paper, we propose a new method to resolve the problem of detection of flood-based DDoS attacks during a SIP session. The method we propose is based on non-parametric CUSUM theory and uses a sensor to analyze inter-arrival times of incoming flows jointly to a packet analyzer. This last is used to extract sensible data from the received SIP messages. Particularly, we assume that the flow of SIP requests is Poisson distributed.

1. Introduction

Every time telecommunication networks have been exposed to various types of attacks but nowadays, due to the IP-based open architecture of modern networks, these attacks have became more frequent and dangerous. Distributed Denial of Service (DDoS) attacks [7, 9], which are an evolution of Denial of Service (DoS) attacks, are a particular type of attack which hamper the regular operation of a service of a host or a network. Differently from DoS attacks, which use a single machine as source of fake messages, which can’t be really dangerous because the amount of traffic produced by a single host is naturally limited, and are easily detected from their source address, DDoS attacks involve a large number of hosts, organized in a so-called botnet, which are used to strike a target.

These attacks may be directed at the application layer, transport layer and/or network layer of a target service.

In this paper, we will deal with attacks aimed at the application/session layer, particularly at the SIP signalling structure. These attacks are the most

dangerous because a block of signalling structure inhibits the regular operation.

The SIP signalling system [1] includes, in addition to the protocol that defines the messages necessary for the management of the session, some network components [3] as User Agents, Proxy Servers and Registrar Servers. These components are submitted to various external attacks, which in some cases, due to their behaviour, are difficult to prevent. For this reason, the threat of DDoS attacks is still present today. Moreover, almost all present networks are connected together and this condition permits malicious users to strike a target from any location.

As result, despite the evolution of Intrusion Detection Systems, Network Address Translators, Firewalls and so on, actual telecommunication networks are subject to various types of malicious attacks and it is necessary to implement efficient defence mechanisms.

This paper, following an analysis of SIP architecture and messages to highlight its weakness and elaborate an appropriate defence strategy, will present a methodology, based on a non-parametric cumulative sum (CUSUM) technique that permits the detection of DDoS attacks which is seen as change of the traffic stochastic process. Subsequently to the use of such a detector, the system can control and block, in an almost selective manner, the SIP flows, which are responsible of the attack.

2. The SIP protocol

The SIP (Session Initiation Protocol) is a signalling protocol that allows achieving the connection among two or more users. SIP is able: to open a session, to administrate the session and to close it.

The main components of SIP architecture are the SIP User Agents (UAs), SIP Proxies and SIP Redirect Servers. UAs, which open, accept and close a connection, can be software or both hardware and software, and are composed of two parts: Client and Server. When a UserAgent sends a message, it acts as a Client (UAC), whereas when it receives a message it acts as a Server (UAS).

SIP Proxies are the components that forward the SIP messages to the final destination, and Redirect Servers are the components that provide the address of a remote user.

All the operations are managed by SIP signalling system through the messages, which are of two types: requests and responses. In the request we find a field, named request line, in which it is indicated the method (the purpose) of the request: INVITE, ACK, OPTION, BYE, CANCEL, REGISTER, and so on. In the response there is a field named status line, in which it is indicated its type: Informational, Success, Redirection, Client error, Server error, Global failure. Both, request and response include two types of lines: header lines and bodylines. The various header lines provide information about the request or response and about the body that they contain. The body is an optional field and it can contain the session information, for example: type of session, audio codec, video codec and others. All these information are encoded by SDP (Session Description Protocol) [2].

The following figures 1.1 and 1.2 show examples of SIP messages.

Fig. 1.1 – SIP request message

Fig. 1.2 – SIP response message

SIP is a text-based transactional protocol, which uses a Client-Server paradigm, similar to that of HTTP, therefore, when the caller User Agent sends an Invite to the callee, this one sends a response of confirmation (200/OK) backwards. Subsequently the caller User Agent sends back a message containing the method ACK.

The figure 1.3 shows the transaction diagram of SIP messages described above.

2.1 Time characterization

When a UserAgent Client sends an INVITE, which is always the first leg of a communication session, it starts up a time counter (Client TIME-OUT), and before this time counter goes down, the User Agent Server must send a response 200/OK, otherwise the INVITE is sent again and the timer is restarted or

the communication is closed. When the User Agent Server sends a 200/OK, it starts up a time counter (Server TIME-OUT) and before this time counter goes down the User Agent Client must send an ACK back, otherwise the 200/OK is sent again and the timer is restarted or the communication is closed [1,3]. If the ACK has been sent with success, the communication session can start; otherwise, the network resources are released.

2.2 SIP headers Route, Record-Route and Via

For the problem that we discuss in this paper, it is interesting to see the function of the headers Route, Record-Route and Via [1,3].

When a user requires to send a message along a prearranged path, it must insert the SIP addresses of the server proxies that he requires to cross, within of the header Route. The addresses have to be inserted in the same order as the one the message will cross the proxies.

Fig. 1.3 – Example of SIP transaction

When a proxy server receives a SIP message, it reads the header Route and forwards the message to the next address in the route list.

The header Record-Route is used when a proxy wants to stay in the path crossed by the messages of a SIP session. When a User Agent Client sends a request, the proxy that receives it, writes its address into the header Record-Route so, when the request arrives to the User Agent Server, it can copy the list of proxies within the header Route, and the responses sent by User Agent Server cross the same proxies crossed by the request.

The header Via is used for storing the addresses of SIP proxies that handles the SIP messages.

When a SIP request is sent from User Agent Client to a User Agent Server, all proxies, that handle the request, write their own addresses into the header Via. The User Agent Server when receives the request, uses these information to send a response in the opposite direction.

The following figures 2.1, 2.2 and 2.3 show the utilization of header Via, Route and Record-Route.

3. DDoS in SIP environment

The DDoS attack is a development of the DoS attack. In a DDoS attack, many computers (so called zombies) are organized in a hierarchical structure (a so called botnet), in which the attacker do not directly interact with them, but operates managing a group of zombies through an intermediate host called handler. This way, the attacker manages the zombies to generate an attack flow which is directed towards the target, without exposing itself. If the number of zombies is sufficiently great, and the target employs a certain quantity of time for each one, it can result congested and will go down.

The figure 3.1 shows the architecture of a DDoS attack.

Fig. 2.1 – Example of Via header utilization

Fig. 2.2 – Example of Route header utilization

Fig. 2.3 – Example of Record-Route header utilization Typically to execute an assault, the attacker, sends in a minor interval a great number of INVITEs to the target. These INVITEs have to have an apposite content of one of the three headers, Route, Record-Route, or Via.

If the attacker uses the header Route [1], he generates a very great flow profiting of the computers that he governs, and he inserts the target address into

the header Route of messages, which compose the flow, so all messages of the flow, will reach the target.

If the attacker uses the header Record-Route [1], he inserts the target address, into this header; so the flow goes through the target in the opposite direction to that followed by the flow generated by using the header Route.

If the attacker uses the header Via [1], he inserts the target address into this header, so all SIP requests involved in the SIP session will go through the target.

A very important topic to understand is that, by design, the SIP proxies have to accept the incomining invitations without any prior session setup. For this reason SIP proxies cannot refuse the invitations which have to be blocked by another element. In any case, the attacker sends to the target, in a minor time a very great number of INVITEs that it has to elaborate because, without an inspection to them the target can’t identify the malicious packets. Therefore, the target goes down because its resources have run out in the attempt to accept all the requests of connection.

Fig. 3.1 – Architecture of a DDoS attack

The time interval between two successive INVITEs must be less than the TIME-OUT, because after the proxy receives an INVITE, it replays with a response 200/OK, and waits a time interval equal to TIME-OUT for an ACK. If the proxy does not receive any response by this time, it releases the resources and is ready to accept a new request of connection.

4. Control of INVITE flow as

prevention of an attack

According to the previous reasoning, we can design a method for prevention of DDoS attacks, based on monitoring the INVITE flow. Actually, the method we are going to present uses the header Via of the INVITE, which is always present in a SIP message, to trace a host that sends a malicious INVITE flow.

The various steps of method are:

a. The system creates a table of addresses to control, whose entries contain the IP-address and the series of time intervals between two successive arrivals.

b. For all INVITEs which arrive, we extract the last but one address into the header Via. This manner, we can monitor the INVITE flow that arrives from the access proxy of one host. If we extract the last address into header Via, we can monitor the INVITE flow that arrives from the final host. Which address to choose to monitor depends on the amount of memory we can use. Actually, the number of addresses to be monitored is greater in the first case than in the second one, because the number of final hosts is greater than that of access proxies. We can monitor the INVITE flow coming from one domain, but in fact, we can extract the header From which is also always present.

c. If an entry with the new address isn’t present into the table of the addresses to control, it is created at the moment of a first arrival. Otherwise if the address is already present, the new time between two arrivals for this address is added. To obtain this time interval it is possible to control the system clock and to calculate the difference between two instants of time. The following figure shows an example of the table to store the inter-arrival times.

Table 4.1 – Inter-arrival timer table

d. When we have stored an adequate number of inter-arrival times, we can calculate, for all the addresses that we control, the mean time between two arrivals.

e. The mean time between two arrivals is used to control if it is larger than the TIME-OUT value of system. This operation is executed by a threshold sensor for all stored addresses. If one of the addresses has the mean time greater than the TIME-OUT, the event is signalled.

We remember that all these operations have to be executed in a time shorter than the TIME-OUT; otherwise, an attacker has the opportunity to knock down the system.

5. Calculation of the mean time

In section 4, at the point d of the list, we wrote that, when an adequate number of time intervals between two arrivals have been stored, it is possible to calculate the mean time between two arrivals. In this section, we will explain how to calculate this mean value and its confidence interval, as function of the

number of measures.

5.1 Interval prediction of a random variable

We suppose that x is a RV (random variable) and that we know its distribution. If we want to estimate x [4, 6] we can use the Mean Square Error method (MSE), and we have to minimize the quantity:

(

)

{

2

}

E x c

(1)

where c is the estimation.

The estimation c will fall within of a value interval, which can be calculated this way:

{

1 2

}

1

P c

< <

x c

= =

(2)

where is a given constant called confidence coefficient. This manner, the estimation will be correct in 100· percentage of the cases. Typical values of I are 0.9, 0.95, or 0.99, anyway when I 1 the interval (c1, c2) increases and the estimation worsens.

When we estimate x we have to calculate the interval prediction to get an idea of the error over the estimate.

If density of x has a single maximum, c2-c1 is minimum for density if density in c1is equal to density in c2. This is the case for a variable of Poisson, in fact, if x is Poisson distributed, its density is:

t

e

₍₃₎

because

( )

!

t k

t

P

t

e

k

=

(4)

is the probability that in Lt there are k arrivals. If the number of arrivals for seconds is +, the probability that there are zero arrivals in Lt is:

0

( )

t

P

t

=

t e

₍₅₎

Then the probability of one arrival in Lt is:

1

_{t e}

t

(6)

If the probability density function is symmetrical

about its mean value a solution for (2) is:

{

1

}

;

{

2

}

2

2

P x c

<

=

P x c

>

=

(7)

(in other cases it is a solution suboptimal) and _{1 M}

2 c =x and _{2 M} 1-2 c =x where xuis u percentile of u.

On the theory of estimation, we can write:

M M 1- 1-2 2 O O P P-z < <P+z n x n = = 1-M = I = 2u-1

(8)

where P is the mean value, O is the variance, n is the number of measures to estimate x, and x is the estimate. The values of I u and zu are represented in the Table 5.1

u 0,90 0,925 0,95 0,975 0,999 zu 1,282 1,440 1,645 1,967 3,090

Table 5.1

5.2 Estimate of the mean value

From the literature it is well known, that in the present case the arrival process is of Poisson type [11, 12, 13]. Therefore, we can apply the results presented in section 5.1. In our case, we want to estimate the mean value of inter-arrival time [4, 6]. On the Poisson hypothesis , = . = +, and the p.d.f. is an exponential function.

If all taken samples are uniformely distributed and independent among them, for the law of great numbers, we can state that the average of samples tenses to the mean value of the distribution of the process.

Then mean value is so calculated:

(

)

n i+1 i 1 T -T -x = n

₍₉₎

where Ti is the i-mo instant of arrival, its prediction interval is: u u _ _ x x P <U< z z 1+ 1-n n

₍₁₀₎

From (9) (10) and TIME-OUT of system we can choose n.

6. The threshold sensor

The threshold sensor here presented, has been achieved using the CUSUM theory. In this paragraph we will briefly present this theory.

The theory of Change Detection [5] is based over the concept namely the logarithm of the likelihood ratio:

( )

1

( )

_{( )}

0 V i i i V i p y s y =log p y

(11)

where pV1(y) and pV0(y) are the densities probability, for

the parameter , after and before the change, respectively, and yi is an i.i.d random sequence.

If we denote respecitively with EV0(s) and EV1(s)

the expectations values of the random sequence, with the condition that EV0(s) < 0 and EV1(s) > 0, so a change

in the parameter of the random sequence y, is equal to the change in the sign of the mean value of log-likelihood ratio. Still with k k j i i=j S = s

(12)

we indicate the log-likelihood ratio for the observations from yjto yk.

A typical decision rule is

k

k 1 k

g =S -m h

₍₁₃₎

where h is the threshold and

j k _{1 j k} 1

m = min S

(14)

The behavior of gkis showed in the figure 6.1.

If we consider CUSUM algorithm as Repeated Sequential Probability Ratio Test (SPRT), the decision rule assume the shape

( )

( )

( )

( )

( )

( )

1 1 0 0 1 0 V k V k k-1 k-1 V k V k k V k k-1 V k p y p y g +ln if g +ln >0 p y p y g = p y 0 if g +ln <0 p y

(15)

(15), where g0=0.

Above equation can be written so

(

)

+

k k-1 k

g = g +s

₍₁₆₎

where (x)+ is sup(0,x), this equation provide a recursive form for the equation (13).

Fig. 6.1 – Behaviour of function _gk

We have supposed that the time interval between two arrivals is exponential distributed, so the equation (16) can be written as:

(

)

1 k k-1 k 0 1 0 U g = g +y U -U +ln U ! " ! " # $

₍₁₇₎

In the equation (17) U0 and U1 are the mean value of the arrival process before and after the change respectively. The value U1 can’t be know beforehand so we approximate it whit

n 1

U =XU

₍₁₈₎

where X is the amplitude percentage, which corresponds to the most probable percentage of increase of the mean rate after a change and

U

n is the

average, that is updated using the Exponential Weighted Moving Average (EWMA) method [8].

As it is known, with this method the mean is expressed as: k k _i=k-n+1 i 1 x = x n

₍₁₉₎

then

k+1 i k+1 _i=k-n+1 k i k+1 i=k-n+1 1 x = x = n+1 1 = x + x (20) n+1!# "$

If we combine equation (20) with equation (19) and shift back of one the index k we obtain:

( ) ( )

( )

k 1 _k n k-1 k-1 _k

x = _n+1 x + _n+1 x =Xx + 1-X x

(21)

this equation is know as EWMA Filter.

Also, for assessment of performance we consider the following parameters:

False Alarm Probability, Mean Time between False Alarms and Mean Delay Detection.

The parameters False Alarm Probability and Mean Time between False Alarms give information about the alarm process. If we consider the Wald’s approximation we can write:

{

}

-h

Pr x=False alarm =e (22)%

0

-h

1

Mean Time Between False Alarm = E ( ) (23)

e = T

where h is the threshold and E () [5] is the mean ₀ value for the density probability before the change.

The Mean Delay Detection gives information about the performance of the sensor, because it shows how much time is necessary for the detection of an alarm. From Change Detection Theory we can write:

(

)

1

1 0

h

Mean Detection Delay = E (T) (24)

K , =

considering the Wald’s approximation, that K

(

₁, ₀

)

is Kullback function [5] and that E () is the mean ₁ value for the density probability after the change.

7. Final considerations

To choose the parameters, we must know the TIME-OUT of the system, because, as stated above, all operations must be made within it.

The number n of measures that we get, to compute the average time, must be sufficient to achieve a good approximation of average time and, at the same time, it doesn’t have to be too much large because the computation time can’t be too much long. Therefore the choice of n must be done with care.

Also the number of measures is important to calculate the estimation error of mean value as we discussed above.

Another important parameter is the threshold of the sensor, because it enables to detect the possible attacks.

The threshold of the sensor must be near to TIME-OUT because we want to control when the time, between two arrivals, is too much short.

Practically, if it is too much short respect the

TIME-OUT, the system can’t compute all the request and it will drop under the load of calculations.

It is important to know the traffic level after an attack, because we must choose the percentage of increase of the mean rate after an attack. This parameter is important because, if it’s too much small, we will have false alarms whereas, if it’s too much wide we could not detect the attacks.

To investigate the performance of the system, it is necessary to study how the Mean Delay Detection changes with the percentage of increase of the mean rate. From the simulations we made, we obtained the diagram of Fig. 7.1 that shows the typical behaviour of Mean Delay Detection.

Fig. 7.1 – Mean Delay Detection

To conclude we can observe that the CUSUM algorithm [8] shows a good performance with high flow traffic attack. Actually, in this condition the probability to detect an attack tenses to 100%, the probability of a false alarms tenses to 0% and the delay detection time is very short. This behaviour is showed by the diagrams of Fig. 7.2 and Fig. 7.3, obtained through our simulations.

Fig. 7.2 – Probability of False Alarm

The diagram presented in Fig. 7.2 shows that, if the threshold value grows, the False Alarm Probability decrease because if the traffic grows we must choose a departure threshold greater. Therefore we can say that if the traffic grows the False Alarms Probability decreases. This diagram shows also how the Mean Delay Detection changes in the time varying of the ratio between Mean Time Arrival of messages SIP, before the change and after the change.

In Fig. 7.3 it is showed the typical trend of Mean Delay Detetection versus the Mean Time Ratio.

Fig. 7.3 – Mean Delay Detection

In the case of low-flow traffic attack the performance of CUSUM algorithm falls down. Really, if the traffic intensity of attack decreases, the probability of attack detection decreases (very slowly), the probability of false alarms grows, and delay detection time grows, (fastly). It is important to put in evidence that in the condition of low-flow traffic attack, the danger of a SIP system is at quite low level or inexistent, so we method we propose is good and useful in all cases of danderous attacks.

8. References

[1] H. Rosenberg, H. Schulzrinne et al., RFC3261 SIP:Session Initiation Protocol, IETF , June 2002.

[2] M. Handley, V. Jacobson, RFC2327 SDP: Session Description Protocol, IETF, April 1998. [3] G. Camarillo, “SIP demystified”, McGraw-Hill,

2002.

[4] A. Papoulis, “Probability, Random Variables and Stochastic Processes 3rd edition” McGraw-Hill, 1991.

[5] M. Basseville, I. V. Nikiforov, “Detection of Abrupt Changes: Theory and Application”, Prentice-Hall, 1993.

[6] J.Y. Le Boudec, “Performance Evaluation of Computer and Communication Systems”, http://ica1www.epfl.ch/perfeval/printMe/perf.pdf. [7] H. Wang, D. Zhang, K. G. Shin, “Detecting SYN

Flooding Attacks”, IEEE INFOCOM 2002. [8] V. A. Siris, F. Papagalou, “Application of

anomaly detection algorithms for detecting SYN flooding attacks,” ICS-FORTH, Tech. Rep. No.330, December 2003.

[9] C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D. Zamboni, “Analysis of a denial of service attack on TCP,” Proceedings of the 1997 IEEE Symposium on Security and Privacy, May 1997.

[10] D. Dittrich, “Distributed Denial of Service

(DDoS) Attacks/Tools Page,” http://staf’f.wwashington.edu/dittrich/misc/ddos/.

[11] A. Johnston, S. Donovan, R. Sparks, C. Cunningham, D. Willis, J. Rosenberg, K. Summers, H. Schulzrinne, “Internet draft: SIP call flow examples,” Apr. 2002. Work in Progress.

[12] Telecost, Enterprise call durations distributions, http://www.telecost.co.uk/

pages/OnCallDurations.htm, 2002.

[13] K. Thompson, G. J. Miller, R. Wilder, “Wide-area internet traffic patterns and characteristics,” IEEE Network,11(6), Dec. 1997.