Detection of Resource-Drained Attacks on SIP-Based Wireless VoIP Networks

The Session Initiation Protocol (SIP) has been widely used in VoIP for session control and management. As the basic SIP specifications do not require the proxy servers to track the states of established sessions, an extension header field "Session-Expires" has been proposed for SIP to allow the proxy server to hold resources for established sessions just within the specified periods. In this paper, we identify a novel denial of service (DoS) attack utilizing this SIP extension to drain resources of the proxy servers in wireless VoIP. In particular, by deliberately setting a large value of the "Session-Expires" header and then physically disconnecting from the wireless network, attackers can repeatedly hold resources of the proxy server as long as they want. Also, the low-volume nature of the attack allows it to avoid being detected by existing volume-based intrusion detection systems. As a counter-measure, we propose a robust detection scheme based on the statistical Anderson-Darling test. The key insight that leads to the scheme is the changed statistical property of the header values induced by the attack. We validate the performance through computer simulation. The scheme shows its ability to detect the attack and is even more effective when applied against the distributed denial of service (DDoS) attack.