Defending against common attacks in SIP

Karthik Budigere Ramakrishna

Helsinki University of Technology,

Espoo, Finland
kbudiger@cc.hut.fi

Abstract. Session Initiation Protocol (SIP) is a widely used application

layer control protocol in VoIP systems for multimedia session manage-
ment. As SIP is gaining so much popularity, security is considered as
main area of focus. The main aspects of providing security is in pre-
serving the confidentiality of the messages, authentication and preserv-
ing the message integrity. In this paper we present about the common
threats/attacks identified on the SIP based systems and some of the
solutions to defend from these attacks.

Key words: SIP, VoIP

1 Introduction

The Session Initiation protocol (IETF RFC 3261) is a protocol designed to pro-
vide session management functionalities such as establish, terminate and modify
multimedia sessions [1]. SIP is a very simple text based protocol similar to that
of HTTP and it follows the request/response model. This has made SIP a very
popular protocol in the VoIP system implementations. H.323 protocol provides
very similar functions as SIP but the SIP has better features such as simplicity,
extensibility and scalability [6].
SIP is being widely used in building VoIP networks. Unlike the traditional
telephone networks VoIP networks does not have a closed communication which
makes communication medium vulnerable to all kinds of attacks from the in-
truders. The attacks on the SIP systems may cause severe consequences such
as making system unavailable for the services, hijacking of information or user
credentials, Inappropriate billings and more. This paper introduces some of the
common attacks which can happen on the SIP systems and the ways to de-
fend these attacks. The second section describes briefly about the SIP archi-
tecture and SIP security framework. Section 3 talks about the various kinds of
threats/attacks on the SIP based systems such as flooding attacks, message flow
attacks, parser attacks and the ways to defend these attacks and the section 4
concludes this paper with some areas of focus and research and the future work
to improve the SIP vulnerabilities.
2 Defending against common attacks in SIP

2 SIP Overview

SIP was designed by Internet Engineering Task Force (IETF) and it is docu-
mented as RFC 3261 and the obsolete for this is RFC 2543. SIP is a simple text
based application protocol which is used for creating, modifying and terminating
the multimedia sessions. SIP is not itself a complete multimedia system. It can
be part of several other protocols to build a complete multimedia system.

2.1 SIP Call Setup

SIP is a signaling protocol and it defines the signaling interaction between the
following entities,

• User Agent (UA)- Participating end points in the communication.

• SIP Proxy- SIP proxy is used mainly to locate and communicate with the
end points.
• SIP Registrar- This is main server where UAs can register for receiving the
service.
• SIP Redirect Server- Redirect server gives the information of next HOP to
the UAs or it gives the information of alternative set of contact address for
UA server.
• Location Server- The location server maintains the information of all the
registered UAs and provides it to proxy when requested.

A typical SIP call setup is as shown in the figure 1. The setup has 2 par-
ticipating UAs, intermediate proxies and a location server. This setup is also
referred as ”SIP trapezoid”. A call can happen only after a UA registers with
the SIP server. SIP registration is process where a UA registers its SIP address
with an SIP registrar for that domain. SIP address is a SIP URI which will be
having hostname at domain format.
A call setup starts from sending SIP INVITE message; this message will be
sent by the UA1 which is initiating a call to UA2. The INVITE message passes
through a series of proxies to reach the final destination UA2. The proxies make
use of redirect and location servers to determine the next hop information. When
INVITE message reaches the UA2 then UA1 will receive ringing sound. If UA2
accepts the call then an ACK message will be sent to UA1 and multimedia
session is established as per the information in SIP messages. The termination
of call is done by sending BYE request. Termination can be initiated by UA1 or
UA2.
Other important SIP methods are SIP UPDATE and SIP REFER. SIP UP-
DATE method is used by client to update session related parameters without
having impact on the ongoing dialog. In SIP REFER method the referrer pro-
vides the information about the URI to reference. This method is used to enable
services like call transfer.
SIP architecture can have several other components also depending on the
services offered, they are
 Defending against common attacks in SIP 3

Fig. 1. SIP Call Flow.[1]

• AAA servers (Accounting Authorization and Authentication), which can use

the protocols such as RADIUS or DIAMETER.
• DNS Servers to resolve mapping between the SIP URIs to the IP address.
• ENUM Servers to resolve mapping between the telephone number to IP
address. This is generally used by a PSTN gateway.

2.2 SIP Security

SIP security services are defined in the RFC 3261 [1] the basic security services it
provides are preserving the confidentiality and integrity of messages, preventing
the repay attacks, preventing message spoofing and providing the authentication
and privacy of the participants in a session.
The SIP security specification recommends following methods for security,
◦ HTTP digest based authentication scheme for authentication.
◦ IPSec and TLS for the protection of signaling path
◦ S/MIME to protect integrity and confidentiality of the SIP messages.
However none of the suggested methods can be used to provide complete
end to end security for the SIP systems as each method has its own drawbacks.
HTTP digest authentication offers one way authentication scheme based on the
challenge message. But this method can only prevent the repay attacks and it
does not provide protection from the spam calls and man-in-middle attacks.
IPSec and TLS provide the security at network and transport layer. IPSec is
generally implemented at the operating system level because of this most of the
SIP clients do not implement IPSec. So IPSec can only protect the data between
4 Defending against common attacks in SIP

the network servers. TLS cannot be applied to UDP-based signaling. S/MIME is

not widely implemented because it require the public-key infrastructure support
and also complexity in managing the security certificates.

3 Attacks on SIP systems

SIP systems are mainly deployed in the internet which is very susceptible to
threats from intruders or attackers. SIP threats can be classified into external and
internal threats. External threats are the kind of attacks made by the intruders
who do not participate in SIP-based call. Internal threats are attacks made by
the participating nodes.
The attacks on SIP systems are mainly because of easiness in spoofing, eaves-
dropping, hijacking, message tampering and flooding the open communication
media very easily as result of these the basic needs of security such message in-
tegrity, confidentiality are lost. These attacks result in loss of credentials, denial
of service and improper billing problems.The common attacks on the SIP system
are classified as,

◦ Message Flow Attacks

◦ Parser Attacks
◦ Flooding Attacks
◦ SIP and SPAM

3.1 Message Flow Attacks

Message flow attacks are the attacks made on the message flow of SIP. SIP is
text based protocol and it operates by sending Request/Response messages. The
basic message flow of the SIP is the target for an intruder to attack SIP system.
The main reason for attacker to launch attacks by these messages is the lack of
authentication or improper authentication mechanism by the SIP participants.
These kind of message attacks may result in DoS and improper billing scenarios.
Message flow attacks are also termed as signaling attacks.Some of the message
flow attacks and the possible solution for these kind of attacks are discussed in
this section.

3.1.1 The ”BYE” Attack (Teardown attack) This attack can be made
by an intruder when there is no authentication used by the SIP. BYE message
is used to terminate the established session. First the intruder gets the session
information by sniffing the communication media and then he deliberately inserts
the BYE message to terminate the call as shown in the figure 2. This results in
the irregular behavior of calls made by the user. Intruder can make use of the
BYE message and attack the SIP system to cause improper billing. This can be
possible by delaying the sending of BYE message. Here the intruder after getting
the session information acts as man-in-middle and when the BYE is sent by the
legitimate user it drops the BYE message or delays it.
 Defending against common attacks in SIP 5

Fig. 2. ”BYE” Attack and ”Cancel Attack”.

3.1.2 The ”CANCEL” Attack CANCEL message is used to cancel the

ongoing transaction by client. In this attack the intruder uses the CANCEL
request to cancel the INVITE request generated by a legitimate user. This results
in the DoS to the legitimate user.

3.1.3 The ”Re-INVITE” Attack Re-Invite is used for modifying the ex-
isting session. The modifying may involve in change or removing of the media
stream. This can be done by sending the INVITE message within the same di-
alog session. This kind of attack results in DoS or deteriorates the quality of
established session.

3.1.4 The ”UPDATE” Attack The SIP UPDATE method [4] is similar to
the Re-INVITE procedure but the only difference here is UPDATE method hap-
pens before the dialog is established. The UPDATE method is used to negotiate
QoS parameters or other session related parameters. This attack results in DoS
or deteriorates the quality of the session being established.

Fig. 3. Registeration Hijacking and Unregister Attack.[7]

6 Defending against common attacks in SIP

3.1.5 Registration Hijacking and Replay Attack This attack targets the
legitimate user registration process with the registrar. In this attack the intruder
spoofs the registration message and replaces the legitimate users registration
by his own address as result of this calls coming for UA will be received by
the intruder. The intruder can also capture the register message sent by the
legitimate user to the registrar and replay it after some time to unregister the
actual legitimate user. This can be achieved by sending the expiry field value as
0 [7]. This kind of attack is called unregister attack and this results in DoS.

3.1.6 Measures to defend Message Flow attacks The main cause for
the message flow attacks is the use of inefficient or no authentication procedure.
Preserving the session related information from the intruders is the main con-
sideration. These kinds of attacks can be easily solved by implementing IPSec or
TLS to the SIP. All the messages should use HTTP digest or TLS for preserving
the integrity and confidentiality. This can also be suppressed by implementing
SIPS (SIP over TLS). There are lot of other proposals and research going on
how to prevent the message flow attacks. One such proposal has introduced a
new Integrity Auth Header and it claims to provide integrity and authenticity
security services for the SIP signaling [11].

3.2 Parser Attacks

In these kind of attacks the intruder builds a malformed message and tries send-
ing to the target and when the target receives this kind of malformed messages
it might crash or result in improper behavior. Parser attacks are carried out by
the intruders only after they know the vulnerabilities in the SIP target to be
attacked. This can be achieved by spoofing the REGISTER message to discover
the capabilities of the target. Then the intruder forms the incorrect packet for
attacking the target. The intruder usually chooses the messages which are not
supported by the target or form the packets with extra headers and data which
is not necessary for that particular message. The parser attacks results in DoS
or timing delays in handling the call.

3.2.1 Measures to defend Parser attacks Parser attacks are result of

implementation errors in SIP system. The SIP parser should be robust to de-
tect this kind of malformed messages to prevent parser attacks. Attacks using
malformed messages can be prevented by the use of filtering and by the use of
gateways. Middle box communication approach can be used to validate the input
data [12] and prevent the malformed message attacks. The use of TLS, IPSec
also prevents this kind of attacks to some extent.

3.3 Flooding Attack

Flooding attacks are characterized by sending huge number of messages to SIP
server or any SIP entity so as to make it difficult to process these messages and
 Defending against common attacks in SIP 7

eventually to crash the system. Flooding attacks mainly targets the resources of
the SIP system like memory, CPU and bandwidth to crash the system. Flooding
attacks result in DoS since it makes the SIP system unavailable for the service.
Flooding attacks can be carried out on any component of the SIP system and
flooding attack can happen from the multiple sources also at once; some of the
flooding attacks are as follows,

3.3.1 Registrar Flooding SIP registration is a process in which a UA regis-

ters one or more IP addresses to a certain SIP URI. This kind of attacks targets
registrar as their victim. In this attack intruders send numerous malformed SIP
REGISTER requests to the SIP registrar which eventually depletes the registrar
resource and result in Dos. This attack is carried out mainly to cause DoS in the
SIP registrar or to guess the legitimate users credentials. Fig depicts this kind
of registrar flooding attack on SIP registrar.

Fig. 4. Rgisteration Flooding and INVITE flooding attack.[10]

3.3.2 SIP Proxy and UA flooding This attack targets SIP proxy and
the End user terminal. As discussed earlier in this paper the SIP call setup
begins by sending SIP INVITE request message to end user via proxy. In this
attack INVITE message is used to flood the SIP proxy and End user. When an
INVITE message is sent by the UA to establish the call, the proxy forwards it and
maintains the state of the connection. SIP proxy has to maintain the connection
state till the connection is terminated. The proxy forwards the INVITE message
and waits for the connection to establish. After the timer expires it considers
call cannot take place. The End user waits for the ACK message from the caller
and retransmits the response message after timer expiry. Since the End user has
accepted the connection it maintains the state for that connection. The attacker
generates numerous INVITE messages without waiting for response message.
8 Defending against common attacks in SIP

This results in increasing the processing at proxy and End user which eventually
leads to their crash. The situation can be even worse when the attacker attacks
with long INVITE messages by adding additional headers.

3.3.3 Defending against flooding Attacks Detecting flooding attacks is

a tedious task before defending them. There are few research papers how to
identify the flooding attacks. They are cumulative sum (CUSUM) [15], Hellinger
Distance [14], adaptive threshold , and upper bound of possible number [17] of
SIP messages. All these methods fix the maximum number of SIP messages as
threshold level and perform their defending operations when this threshold is
reached. In addition to these there are few IDS (Intruder Detection Systems)
which can effectively identify and block the flooding attacks [16].
The possible counter measures that can be taken to defend against the flood-
ing attacks are,
Monitoring and Filtering-SIP proxies have to maintain the list of suspicious
users and these can be the rules for filtering. There are number of factors where
we can decide the user as intruder based on the cause for sudden increase in
number of server transactions, which users are often involved in the broken
transactions, who are the users who are sending the malformed messages to the
server etc.
Authentication-The SIP authentication is based on the HTTP digest method.
It is a challenge-response protocol, in which the nonce value is used in challeng-
ing. Since it is nonce based, the proxy has to maintain the state of nonce till
the challenge is complete. This can be a problem during the flooding attacks as
memory increases with the number of messages flooded. To prevent this authen-
tication has to be made stateless. Predictive nonce is used as a solution for this
[13]. In this method the nonce is calculated on the basis of message headers. This
makes it easy to recalculate the nonce when response to the challenge arrives.
Hence it avoids the storing of the nonce.
Server Design - The server design should be made carefully by considering
the following,

◦ Fast processing and parsing methods and memory allocation.

◦ Parallel processing capabilities
◦ Non Blocking operation modes
◦ Large memory, High speed network and fast CPUs

3.4 Attacks on DNS (Domain name server)

As discussed earlier all the components of the SIP system are vulnerable to the
threats. In this section we discuss some of the threats on the DNS server and
how it affects the SIP operation.

3.4.1 DNS Packet spoofing DNS does not provide any encryption for the
Request and response exchanged between the DNS server and client. So the
 Defending against common attacks in SIP 9

attacks are much simpler in this medium. An intruder can spoof to all the DNS
packets and there are fair chances for him to perform eavesdropping and spoof
the packet with erroneous data. As a result of this the intruder successfully sends
the wrong resolved IP address for the SIP address. The intruder can also spoof
the source address of the DNS query reply. This makes client drop the packet
when it arrives. These kinds of attacks result in DoS and DNS cache poisoning.
The attacker can cause the query flooding to DNS server. The attacker first gains
the credentials and starts communicating with the DNS server then he floods
the DNS server with numerous malformed requests as a result of this the DNS
server will not be able to service the actual client requests.

3.4.2 Defending against DNS attacks Some of the ways to defend DNS
attacks are,

◦ The DNS design should be made non-blocking so the SIP proxy is not blocked
until it receives the DNS response. SIP Proxy will store the information and
starts processing the next message in the queue.
◦ Non blocking cache design with cache replacement policies
◦ Threshold specification in SIP proxy for issuing DNS query

3.5 Spam in SIP

Spam is defined as the unsolicited messages sent for commercial marketing pur-
pose. [5] Spam here in SIP is of three forms, they are

◦ Call Spam - These are the unsolicited calls made by the spammer. This is a
usual way used by telemarketing people.
◦ IM Spam - These are unsolicited IMs sent by the spammer. It contains the
information which spammer wants to convey.
◦ Presence Spam - These are the unsolicited presence (subscribe) requests sent
by the spammer to initiate other forms of communication.

Spam in SIP has not become a big problem as spam emails but the need of hour
to control the spam in SIP before they make havoc.

3.5.1 Defending from Spam The RFC 5039 [5] specifies several ways to
control the spamming attacks. They are as follows,

◦ Content filtering - Content filtering analyses the content of the message and
based on the rules filtering process will happen. This method can be used
with IM spam.
◦ Identity Based Filtering - This method uses the identity of sender as a de-
ciding factor for filtering the content then it decides based on the rules to
block or accept the communication. Some of the mechanisms are blacklists,
whitelists and reputation based lists.
10 Defending against common attacks in SIP

◦ Interactive Methods - Interactive methods for defending spam use the meth-
ods which human presence make mandatory. They use simple puzzles solving
and other techniques.
◦ Preventive methods - This method takes preventive measures from spam.
Generally spammers get address from the websites and other source. In order
to protect the SIP address it can be embedded in the image or providing
address only after interactive method. The other way is by using temporary
addresses and alias to your address.

4 Conclusion
In this paper we discussed some of the common attacks that are possible on the
SIP systems. There are more types of attacks possible on SIP systems such as
various kinds of DoS attacks and Distributed DoS which are very destructive as
well. There are number of research papers available on these kinds of attacks
and how to defend them but here is no common framework or an end to end
frame work for SIP systems to secure communication. This makes defending from
threats a difficult job. The deployed SIP systems make use of various test tools
such as VoIP vulnerability scanner, SIP forum test framework, PROTOS Suite,
SIP Swiss Army Knife and others to test the existing system for vulnerabili-
ties and also it makes use of many Intruder Detection System and commercial
enterprise solutions to make the communication secure. SIP has gained much
popularity and it is being used by both 3GPP and NGNs (Next Generation Net-
works), as result of this a good mechanism is required to provide confidentiality,
integrity, AAA services and privacy.

References
1. J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks,
M. Handley, and E. Schooler. Session Initiation Protocol, RFC 3261, June 2002.
2. Arkko, J. Torvinen, V. Camarillo, G., Niemi A. and Haukka T. (2003), Security
Mechanism Agreement for the Session Initiation Protocol RFC 3329, January 2003.
3. R. Sparks, The Session Initiation Protocol (SIP) Refer Method, RFC 3515, Apr.
2003.
4. J. Rosenberg, The Session Initiation Protocol (SIP) UPDATE Method, RFC 3311,
Sept. 2002.
5. J. Rosenberg and C. Jennings. The Session Initiation Protocol (SIP)and Spam, RFC
5039, January 2008.
6. H. Schulzrinne and J. Rosenberg, A Comparison of SIP and H.323 for Internet
Telephony, Proc. International Workshop on Networkand Operating System Support
for Digital Audio and Video(NOSSDAV), pp. 83-86.
7. A. Bremler-Barr and R. Halachmi-Bekel, Unregister attacks in SIP, IEEE 2nd Work-
shop on Secure Network Protocols 2006, Santa Barbara, CA., Nov. 2006.
8. Xianglin Deng and Shore M, Advanced Flooding Attack on a SIP Server IEEE
ARES ’09. International Conference 2009.
9. El Sawda and P. Urien, SIP Security Attacks and Solutions: A state-of-the-art re-
view, IEEE, Information and Communication Technologies, 2006. ICTTA ’06. 2006.
 Defending against common attacks in SIP 11

10. Geneiatakis, Dagiuklas, Kambourakis, Lambrinoudakis, Gritzalis, Ehlert and

Sisalem, Survey of security vulnerabilities in session initiation protocol, Commu-
nications Surveys and Tutorials, IEEE 2006.
11. D. Geneiatakis and C. Lambrinoudakis, A lightweight protection mechanism
against signaling attacks in a SIP-based VoIP environment, Telecommunication Sys-
tem, Vol.36, No.4, pp.1018-4864, Dec. 2007.
12. P. Srisuresh et al, Middlebox Communication Architecture and framework,IETF,
RFC 3303, Aug. 2002.
13. Using Predictive Nonces, expired Internet draft, work in progress, IETF, June
2001. draft-rosenberg-sip-http-pnonce-00.
14. H. Sengar, H. Wang, D. Wijesekera, and S. Jajodia, Detecting VoIP Floods Using
the Hellinger Distance,IEEE Trans. Parallel and Distributed Systems, Vol. 19, No.
6, pp.794-805, June 2008.
15. Y. Rebahi, M. Sher, and T. Magedanz,Detecting Flooding Attack against IP Mul-
timedia Subsystem (IMS) Network,IEEE AICCSA 2008, April 2008.
16. Wu et al., SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Archi-
tecture for Voice-over-IP Environments,Proc. 2004 Intl. Conf. Dependable Systems
and Networks (DSN04).
17. Jea-Tek Ryu, Byeong-Hee Roh and K i-Yeol Ryu,Detection of SIP Flooding At-
tacks based on the Upper Bound of the Possible Number of SIP Messages, TIIS vol
3,oct 2009.