Deecion of DDoS Aac in SIP Environmen wih Non-parameric CUSUM Sensor Luigi Alcuri Universiy of Palermo Deparmen of Elecrical, Elecronic and Telecommunicaion Engineering luigi.alcuri@i.unipa.i Piero Cassarà Universiy of Palermo Deparmen of Elecrical, Elecronic and Telecommunicaion Engineering piero.cassara@i.unipa.i Absrac Modern all-ip newors, which ransfer elephony, mulimedia and daa use mainly as signalling proocol he Session Iniiaion Proocol (SIP. These newors are exposed o various ypes of aacs, and among hem, a DDoS aac can resul paricularly dangerous, because i can be direced agains he SIP signalling sysem. This siuaion arises from he circumsance ha a SIP sysem canno be enirely proeced agains an aac of his ype, bu a shield can be implemened only afer he deecion of an aac. Hence, i is imporan o implemen a fas and reliable mehod for he deecion of an aac. In his paper, we propose a new mehod o resolve he problem of deecion of flood-based DDoS aacs during a SIP session. The mehod we propose is based on non-parameric CUSUM heory and uses a sensor o analyze iner-arrival imes of incoming flows joinly o a pace analyzer. This las is used o exrac sensible daa from he received SIP messages. Paricularly, we assume ha he flow of SIP requess is Poisson disribued.. Inroducion Every ime elecommunicaion newors have been exposed o various ypes of aacs bu nowadays, due o he IP-based open archiecure of modern newors, hese aacs have became more frequen and dangerous. Disribued Denial of Service (DDoS aacs [7, 9], which are an evoluion of Denial of Service (DoS aacs, are a paricular ype of aac which hamper he regular operaion of a service of a hos or a newor. Differenly from DoS aacs, which use a single machine as source of fae messages, which can be really dangerous because he amoun of raffic produced by a single hos is naurally limied, and are easily deeced from heir source address, DDoS aacs involve a large number of hoss, organized in a so-called bone, which are used o srie a arge. These aacs may be direced a he applicaion layer, ranspor layer and/or newor layer of a arge service. In his paper, we will deal wih aacs aimed a he applicaion/session layer, paricularly a he SIP signalling srucure. These aacs are he mos dangerous because a bloc of signalling srucure inhibis he regular operaion. The SIP signalling sysem [] includes, in addiion o he proocol ha defines he messages necessary for he managemen of he session, some newor componens [3] as User Agens, Proxy Servers and Regisrar Servers. These componens are submied o various exernal aacs, which in some cases, due o heir behaviour, are difficul o preven. For his reason, he hrea of DDoS aacs is sill presen oday. Moreover, almos all presen newors are conneced ogeher and his condiion permis malicious users o srie a arge from any locaion. As resul, despie he evoluion of Inrusion Deecion Sysems, Newor Address Translaors, Firewalls and so on, acual elecommunicaion newors are subjec o various ypes of malicious aacs and i is necessary o implemen efficien defence mechanisms. This paper, following an analysis of SIP archiecure and messages o highligh is weaness and elaborae an appropriae defence sraegy, will presen a mehodology, based on a non-parameric cumulaive sum (CUSUM echnique ha permis he deecion of DDoS aacs which is seen as change of he raffic sochasic process. Subsequenly o he use of such a deecor, he sysem can conrol and bloc, in an almos selecive manner, he SIP flows, which are responsible of he aac. 2. The SIP proocol The SIP (Session Iniiaion Proocol is a signalling proocol ha allows achieving he connecion among wo or more users. SIP is able: o open a session, o adminisrae he session and o close i. The main componens of SIP archiecure are he SIP User Agens (UAs, SIP Proxies and SIP Redirec Servers. UAs, which open, accep and close a connecion, can be sofware or boh hardware and sofware, and are composed of wo pars: Clien and Server. When a UserAgen sends a message, i acs as a Clien (UAC, whereas when i receives a message i acs as a Server (UAS. SIP Proxies are he componens ha forward he SIP messages o he final desinaion, and Redirec Servers are he componens ha provide he address of a remoe user.
All he operaions are managed by SIP signalling sysem hrough he messages, which are of wo ypes: requess and responses. In he reques we find a field, named reques line, in which i is indicaed he mehod (he purpose of he reques: INVITE, ACK, OPTION, BYE, CANCEL, REGISTER, and so on. In he response here is a field named saus line, in which i is indicaed is ype: Informaional, Success, Redirecion, Clien error, Server error, Global failure. Boh, reques and response include wo ypes of lines: header lines and bodylines. The various header lines provide informaion abou he reques or response and abou he body ha hey conain. The body is an opional field and i can conain he session informaion, for example: ype of session, audio codec, video codec and ohers. All hese informaion are encoded by SDP (Session Descripion Proocol [2]. The following figures. and.2 show examples of SIP messages. he communicaion is closed. When he User Agen Server sends a 200/OK, i sars up a ime couner (Server TIME-OUT and before his ime couner goes down he User Agen Clien mus send an ACK bac, oherwise he 200/OK is sen again and he imer is resared or he communicaion is closed [,3]. If he ACK has been sen wih success, he communicaion session can sar; oherwise, he newor resources are released. 2.2 SIP headers Roue, Record-Roue and Via For he problem ha we discuss in his paper, i is ineresing o see he funcion of he headers Roue, Record-Roue and Via [,3]. When a user requires o send a message along a prearranged pah, i mus inser he SIP addresses of he server proxies ha he requires o cross, wihin of he header Roue. The addresses have o be insered in he same order as he one he message will cross he proxies. Fig.. SIP reques message Fig..2 SIP response message SIP is a ex-based ransacional proocol, which uses a Clien-Server paradigm, similar o ha of HTTP, herefore, when he caller User Agen sends an Invie o he callee, his one sends a response of confirmaion (200/OK bacwards. Subsequenly he caller User Agen sends bac a message conaining he mehod ACK. The figure.3 shows he ransacion diagram of SIP messages described above. 2. Time characerizaion When a UserAgen Clien sends an INVITE, which is always he firs leg of a communicaion session, i sars up a ime couner (Clien TIME-OUT, and before his ime couner goes down, he User Agen Server mus send a response 200/OK, oherwise he INVITE is sen again and he imer is resared or Fig..3 Example of SIP ransacion When a proxy server receives a SIP message, i reads he header Roue and forwards he message o he nex address in he roue lis. The header Record-Roue is used when a proxy wans o say in he pah crossed by he messages of a SIP session. When a User Agen Clien sends a reques, he proxy ha receives i, wries is address ino he header Record-Roue so, when he reques arrives o he User Agen Server, i can copy he lis of proxies wihin he header Roue, and he responses sen by User Agen Server cross he same proxies crossed by he reques. The header Via is used for soring he addresses of SIP proxies ha handles he SIP messages. When a SIP reques is sen from User Agen Clien o a User Agen Server, all proxies, ha handle he reques, wrie heir own addresses ino he header Via. The User Agen Server when receives he reques, uses hese informaion o send a response in he opposie direcion. The following figures 2., 2.2 and 2.3 show he uilizaion of header Via, Roue and Record-Roue.
3. DDoS in SIP environmen The DDoS aac is a developmen of he DoS aac. In a DDoS aac, many compuers (so called zombies are organized in a hierarchical srucure (a so called bone, in which he aacer do no direcly inerac wih hem, bu operaes managing a group of zombies hrough an inermediae hos called handler. This way, he aacer manages he zombies o generae an aac flow which is direced owards he arge, wihou exposing iself. If he number of zombies is sufficienly grea, and he arge employs a cerain quaniy of ime for each one, i can resul congesed and will go down. The figure 3. shows he archiecure of a DDoS aac. he header Roue of messages, which compose he flow, so all messages of he flow, will reach he arge. If he aacer uses he header Record-Roue [], he insers he arge address, ino his header; so he flow goes hrough he arge in he opposie direcion o ha followed by he flow generaed by using he header Roue. If he aacer uses he header Via [], he insers he arge address ino his header, so all SIP requess involved in he SIP session will go hrough he arge. A very imporan opic o undersand is ha, by design, he SIP proxies have o accep he incomining inviaions wihou any prior session seup. For his reason SIP proxies canno refuse he inviaions which have o be bloced by anoher elemen. In any case, he aacer sends o he arge, in a minor ime a very grea number of INVITEs ha i has o elaborae because, wihou an inspecion o hem he arge can idenify he malicious paces. Therefore, he arge goes down because is resources have run ou in he aemp o accep all he requess of connecion. Fig. 2. Example of Via header uilizaion Fig. 2.2 Example of Roue header uilizaion Fig. 3. Archiecure of a DDoS aac The ime inerval beween wo successive INVITEs mus be less han he TIME-OUT, because afer he proxy receives an INVITE, i replays wih a response 200/OK, and wais a ime inerval equal o TIME-OUT for an ACK. If he proxy does no receive any response by his ime, i releases he resources and is ready o accep a new reques of connecion. Fig. 2.3 Example of Record-Roue header uilizaion Typically o execue an assaul, he aacer, sends in a minor inerval a grea number of INVITEs o he arge. These INVITEs have o have an apposie conen of one of he hree headers, Roue, Record- Roue, or Via. If he aacer uses he header Roue [], he generaes a very grea flow profiing of he compuers ha he governs, and he insers he arge address ino 4. Conrol of INVITE flow as prevenion of an aac According o he previous reasoning, we can design a mehod for prevenion of DDoS aacs, based on monioring he INVITE flow. Acually, he mehod we are going o presen uses he header Via of he INVITE, which is always presen in a SIP message, o race a hos ha sends a malicious INVITE flow. The various seps of mehod are: a. The sysem creaes a able of addresses o conrol, whose enries conain he IP-address and he series of ime inervals beween wo successive arrivals.
b. For all INVITEs which arrive, we exrac he las bu one address ino he header Via. This manner, we can monior he INVITE flow ha arrives from he access proxy of one hos. If we exrac he las address ino header Via, we can monior he INVITE flow ha arrives from he final hos. Which address o choose o monior depends on he amoun of memory we can use. Acually, he number of addresses o be moniored is greaer in he firs case han in he second one, because he number of final hoss is greaer han ha of access proxies. We can monior he INVITE flow coming from one domain, bu in fac, we can exrac he header From which is also always presen. c. If an enry wih he new address isn presen ino he able of he addresses o conrol, i is creaed a he momen of a firs arrival. Oherwise if he address is already presen, he new ime beween wo arrivals for his address is added. To obain his ime inerval i is possible o conrol he sysem cloc and o calculae he difference beween wo insans of ime. The following figure shows an example of he able o sore he iner-arrival imes. Table 4. Iner-arrival imer able d. When we have sored an adequae number of iner-arrival imes, we can calculae, for all he addresses ha we conrol, he mean ime beween wo arrivals. e. The mean ime beween wo arrivals is used o conrol if i is larger han he TIME-OUT value of sysem. This operaion is execued by a hreshold sensor for all sored addresses. If one of he addresses has he mean ime greaer han he TIME-OUT, he even is signalled. We remember ha all hese operaions have o be execued in a ime shorer han he TIME-OUT; oherwise, an aacer has he opporuniy o noc down he sysem. 5. Calculaion of he mean ime In secion 4, a he poin d of he lis, we wroe ha, when an adequae number of ime inervals beween wo arrivals have been sored, i is possible o calculae he mean ime beween wo arrivals. In his secion, we will explain how o calculae his mean value and is confidence inerval, as funcion of he number of measures. 5. Inerval predicion of a random variable We suppose ha x is a RV (random variable and ha we now is disribuion. If we wan o esimae x [4, 6] we can use he Mean Square Error mehod (MSE, and we have o minimize he quaniy: E x c 2 ( {( } where c is he esimaion. The esimaion c will fall wihin of a value inerval, which can be calculaed his way: { } P c < x< c = = (2 2 where is a given consan called confidence coefficien. This manner, he esimaion will be correc in 00 percenage of he cases. Typical values of I are 0.9, 0.95, or 0.99, anyway when I he inerval (c, c 2 increases and he esimaion worsens. When we esimae x we have o calculae he inerval predicion o ge an idea of he error over he esimae. If densiy of x has a single maximum, c 2 -c is minimum for densiy if densiy in c is equal o densiy in c 2. This is he case for a variable of Poisson, in fac, if x is Poisson disribued, is densiy is: because e (3 P ( = e! (4 is he probabiliy ha in L here are arrivals. If he number of arrivals for seconds is +, he probabiliy ha here are zero arrivals in L is: ( P0 e = Then he probabiliy of one arrival in L is: e (5 (6 If he probabiliy densiy funcion is symmerical abou is mean value a soluion for (2 is: P{ x< c} = ; P{ x> c2} = 2 2 (7 (in oher cases i is a soluion subopimal and c=x M 2 and c 2 =x where x u is u percenile of u. M - 2 On he heory of esimaion, we can wrie: O O P P-z M < x <P+z M = - n - n 2 2 = -M = I = 2u- (8 where P is he mean value, O is he variance, n is he number of measures o esimae x, and x is he esimae. The values of I u and z u are represened in he Table 5.
u 0,90 0,925 0,95 0,975 0,999 z u,282,440,645,967 3,090 Table 5. 5.2 Esimae of he mean value From he lieraure i is well nown, ha in he presen case he arrival process is of Poisson ype [, 2, 3]. Therefore, we can apply he resuls presened in secion 5.. In our case, we wan o esimae he mean value of iner-arrival ime [4, 6]. On he Poisson hypohesis, =. = +, and he p.d.f. is an exponenial funcion. If all aen samples are uniformely disribued and independen among hem, for he law of grea numbers, we can sae ha he average of samples enses o he mean value of he disribuion of he process. Then mean value is so calculaed: - x= n ( T -T i+ i (9 n where T i is he i-mo insan of arrival, is predicion inerval is: x x P <U< zu z u + - n n (0 From (9 (0 and TIME-OUT of sysem we can choose n. 6. The hreshold sensor The hreshold sensor here presened, has been achieved using he CUSUM heory. In his paragraph we will briefly presen his heory. The heory of Change Deecion [5] is based over he concep namely he logarihm of he lielihood raio: ( si y i =log p y pv ( yi V0 ( i ( where p V (y and p V0 (y are he densiies probabiliy, for he parameer, afer and before he change, respecively, and yi is an i.i.d random sequence. If we denoe respeciively wih E V0 (s and E V (s he expecaions values of he random sequence, wih he condiion ha E V0 (s < 0 and E V (s > 0, so a change in he parameer of he random sequence y, is equal o he change in he sign of he mean value of loglielihood raio. Sill wih j S = s i=j (2 we indicae he log-lielihood raio for he observaions from y j o y. A ypical decision rule is g =S-m i h (3 where h is he hreshold and j m =mins j (4 The behavior of g is showed in he figure 6.. If we consider CUSUM algorihm as Repeaed Sequenial Probabiliy Raio Tes (SPRT, he decision rule assume he shape pv ( y pv ( y g -+ln if g -+ln >0 p V0 ( y p V0 ( y g = pv ( y 0 if g -+ln <0 pv0 ( y (5 (5, where g 0 =0. Above equaion can be wrien so g ( + = g -+s (6 where (x+ is sup(0,x, his equaion provide a recursive form for he equaion (3. Fig. 6. Behaviour of funcion g We have supposed ha he ime inerval beween wo arrivals is exponenial disribued, so he equaion (6 can be wrien as: U g =! g -+y ( U0-U +ln "!# U 0 " $ (7 In he equaion (7 U0 and U are he mean value of he arrival process before and afer he change respecively. The value U can be now beforehand so we approximae i whi U =XUn (8 where X is he ampliude percenage, which corresponds o he mos probable percenage of increase of he mean rae afer a change and Un is he average, ha is updaed using he Exponenial Weighed Moving Average (EWMA mehod [8]. As i is nown, wih his mehod he mean is expressed as: x = x n i hen i=-n+ (9
x = x = + + i n+ i=-n+! + i " i=-n+ = x + x (20 n+ # $ If we combine equaion (20 wih equaion (9 and shif bac of one he index we obain: n ( ( ( x = x + x =Xx + -X x - - n+ n+ (2 his equaion is now as EWMA Filer. Also, for assessmen of performance we consider he following parameers: False Alarm Probabiliy, Mean Time beween False Alarms and Mean Delay Deecion. The parameers False Alarm Probabiliy and Mean Time beween False Alarms give informaion abou he alarm process. If we consider he Wald s approximaion we can wrie: -h Pr{ x=false alarm} = e (22 % Mean Time Beween False Alarm = = E ( T (23 0 e where h is he hreshold and E ([5] is he mean value for he densiy probabiliy before he change. The Mean Delay Deecion gives informaion abou he performance of he sensor, because i shows how much ime is necessary for he deecion of an alarm. From Change Deecion Theory we can wrie: h Mean Deecion Delay = = E (T (24 K (, 0 considering he Wald s approximaion, ha K (, 0 -h 0 is Kullbac funcion [5] and ha E ( is he mean value for he densiy probabiliy afer he change. 7. Final consideraions To choose he parameers, we mus now he TIME-OUT of he sysem, because, as saed above, all operaions mus be made wihin i. The number n of measures ha we ge, o compue he average ime, mus be sufficien o achieve a good approximaion of average ime and, a he same ime, i doesn have o be oo much large because he compuaion ime can be oo much long. Therefore he choice of n mus be done wih care. Also he number of measures is imporan o calculae he esimaion error of mean value as we discussed above. Anoher imporan parameer is he hreshold of he sensor, because i enables o deec he possible aacs. The hreshold of he sensor mus be near o TIME-OUT because we wan o conrol when he ime, beween wo arrivals, is oo much shor. Pracically, if i is oo much shor respec he TIME-OUT, he sysem can compue all he reques and i will drop under he load of calculaions. I is imporan o now he raffic level afer an aac, because we mus choose he percenage of increase of he mean rae afer an aac. This parameer is imporan because, if i s oo much small, we will have false alarms whereas, if i s oo much wide we could no deec he aacs. To invesigae he performance of he sysem, i is necessary o sudy how he Mean Delay Deecion changes wih he percenage of increase of he mean rae. From he simulaions we made, we obained he diagram of Fig. 7. ha shows he ypical behaviour of Mean Delay Deecion. Fig. 7. Mean Delay Deecion To conclude we can observe ha he CUSUM algorihm [8] shows a good performance wih high flow raffic aac. Acually, in his condiion he probabiliy o deec an aac enses o 00%, he probabiliy of a false alarms enses o 0% and he delay deecion ime is very shor. This behaviour is showed by he diagrams of Fig. 7.2 and Fig. 7.3, obained hrough our simulaions. Fig. 7.2 Probabiliy of False Alarm The diagram presened in Fig. 7.2 shows ha, if he hreshold value grows, he False Alarm Probabiliy decrease because if he raffic grows we mus choose a deparure hreshold greaer. Therefore we can say ha if he raffic grows he False Alarms Probabiliy decreases. This diagram shows also how he Mean Delay Deecion changes in he ime varying of he raio beween Mean Time Arrival of messages SIP, before he change and afer he change. In Fig. 7.3 i is showed he ypical rend of Mean Delay Deeecion versus he Mean Time Raio.
Fig. 7.3 Mean Delay Deecion [] A. Johnson, S. Donovan, R. Spars, C. Cunningham, D. Willis, J. Rosenberg, K. Summers, H. Schulzrinne, Inerne draf: SIP call flow examples, Apr. 2002. Wor in Progress. [2] Telecos, Enerprise call duraions disribuions, hp://www.elecos.co.u/ pages/oncallduraions.hm, 2002. [3] K. Thompson, G. J. Miller, R. Wilder, Widearea inerne raffic paerns and characerisics, IEEE Newor,(6, Dec. 997. In he case of low-flow raffic aac he performance of CUSUM algorihm falls down. Really, if he raffic inensiy of aac decreases, he probabiliy of aac deecion decreases (very slowly, he probabiliy of false alarms grows, and delay deecion ime grows, (fasly. I is imporan o pu in evidence ha in he condiion of low-flow raffic aac, he danger of a SIP sysem is a quie low level or inexisen, so we mehod we propose is good and useful in all cases of danderous aacs. 8. References [] H. Rosenberg, H. Schulzrinne e al., RFC326 SIP:Session Iniiaion Proocol, IETF, June 2002. [2] M. Handley, V. Jacobson, RFC2327 SDP: Session Descripion Proocol, IETF, April 998. [3] G. Camarillo, SIP demysified, McGraw-Hill, 2002. [4] A. Papoulis, Probabiliy, Random Variables and Sochasic Processes 3rd ediion McGraw-Hill, 99. [5] M. Basseville, I. V. Niiforov, Deecion of Abrup Changes: Theory and Applicaion, Prenice-Hall, 993. [6] J.Y. Le Boudec, Performance Evaluaion of Compuer and Communicaion Sysems, hp://icawww.epfl.ch/perfeval/prinme/perf.pdf. [7] H. Wang, D. Zhang, K. G. Shin, Deecing SYN Flooding Aacs, IEEE INFOCOM 2002. [8] V. A. Siris, F. Papagalou, Applicaion of anomaly deecion algorihms for deecing SYN flooding aacs, ICS-FORTH, Tech. Rep. No.330, December 2003. [9] C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D. Zamboni, Analysis of a denial of service aac on TCP, Proceedings of he 997 IEEE Symposium on Securiy and Privacy, May 997. [0] D. Dirich, Disribued Denial of Service (DDoS Aacs/Tools Page, hp://saf f.wwashingon.edu/dirich/misc/ddos/.