A whitelist-based countermeasure scheme using a Bloom filter against SIP flooding attacks

Since SIP uses a text-based message format and is open to the public Internet, it is exposed to a number of potential threats of denial of service (DoS) by flooding attacks. Although several approaches have been proposed to detect and counteract SIP flooding attacks, most of these do not provide effective countervailing schemes to protect normal messages from abnormal ones after attacks have been detected. In addition, these approaches have some limitations in large user environments for SIP-based multimedia services. In this paper, a whitelist-based countermeasure scheme is proposed, to protect both normal SIP users and servers from malicious flooding attacks. To construct the whitelist, a Bloom filter approach is used, to reduce memory requirements and computational complexity. We use the non-membership ratio as a measure for the attack detection, instead of using the message rate usually used in conventional schemes. It is shown that the proposed method can provide more robust detection performances.