< Home

Mechanisms of SIP Flood Attack and Defense

This section describes the mechanisms of SIP flood attack and defense.

Attack Mechanism

The Session Initiation Protocol (SIP) is an application-layer signaling control protocol. It is used to create, modify, and release one or multiple sessions, such as Internet conferences, VoIP phone calls, or multimedia distribution sessions.

An attacker can send massive INVITE messages to the target SIP server to exhaust the SIP server resources and make the server unable to respond to legitimate call requests. An attacker can also exploit the vulnerabilities of SIP implementation on the VoIP devices to forge and send malformed packets, resulting in the DoS of the SIP server.

Defense Mechanism

The FW sends an OPTIONS request packet to verify whether the source IP address exists. If the source IP address exists, the source will reply and the FW will verify the reply. If the reply is in response to the OPTIONS packet, the FW permits the traffic and whitelists this IP address. If the reply is not in response to the OPTIONS packet, the FW discards all packets from this IP address. Figure 1 shows the procedure of source authentication in SIP flood attack defense.

Figure 1 Source authentication in SIP flood attack defense
Parent Topic: Understanding Attack Defense
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >