Protecting from Cloud-based SIP flooding attacks by leveraging temporal and structural fingerprints

The session initiation protocol (SIP) is among the most popular voice over IP (VoIP) signaling protocols. Like other Internet protocols, deployment in live scenarios showed its vulnerability to flooding attacks. These attacks are very similar to those against TCP protocol but have emerged at the application level of the Internet architecture. In this paper, we present a new approach to protect SIP devices from flooding attacks. Our proposed approach is mainly composed of two algorithms: 1) a detection algorithm that takes into consideration the temporal characteristics of SIP protocol as well as the fingerprints of its messages and 2) a mitigation algorithm that filters SIP messages based on a fingerprint whitelist database. We evaluate our approach through an extensive set of experimental tests using widely distributed virtual machines in the cloud and compare to similar approaches found in the literature. The experiments emulate a large flooding attack launched from mutually distant geographic data centers. The results report short detection time, low sensibility to false alarms and high effectiveness in reducing the computational resources.