Security of SIP-based infrastructure against malicious message attacks

Abstract

Nowadays Session Initiation Protocol (SIP) has become the most widely used signaling protocol by the vendors in the Voice over Internet Protocol (VoIP) communication. As the SIP is gaining popularity, open architecture of VoIP often makes SIP vulnerable to so many threats. The paper introduces SIP along with its different security mechanisms with the focus on attack signatures generation technique to identify the malformed SIP messages. It aims to generate various malicious SIP messages and to verify the limitations of the existing classical Intrusion Detection System (IDS) in identifying the malicious messages. Then it sets out to implement an improved detection framework using the rules as regular expression. The experiments were carried out using SER as an open source SIP server, Kphone and X-lite as SIP clients and the SIPSAK as an attacking tool on a testbed architecture which was in a form of virtual environment created with VMware. The platforms used were BackTrack7 and Windows 7. The test was first performed on SNORT, an open source IDS and later by adding the improved detection rules in the configuration file of the SIP server. The successful attacks on the classical attack-signatures generation framework proved that the existing IDSs couldn't identify logical errors in the malicious SIP messages. The proposed detection module identified and rejected all kind of malicious SIP messages with acceptable processing overheads. Moreover the associated signatures database can also be incorporated into other VoIP protocols and open source IDSs like SNORT. This paper has provided the effective mechanism in creating well-formed defense against malicious SIP message attacks to ensure the integrity and security of VoIP subsystems.