Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology

ISSN No:-2456-2165

ESOBSTEB SIP- DDoS Defense Tool: An

Aggressive Defense Framework for Detecting and
Countering Flood based SIP-App (D)DoS
Attacks on the Internet
1 2
Madaki, S. D Odachi Gabriel C
1 4
Computer Science Department, FCE(T) Asaba, Ezekwe Chinwe G
2,4
Delta State, Nigeria Department of Computing sciences, Admiralty University
of Nigeria, Ibusa, Delta State, Nigeria

3
Joshua Joshua Tom
3
Department of Cyber Security, Elizade University, Ilara Mokin, Nigeria.

Abstract:- ESOBSTEB SIP- DDoS defense tool is an maximum connection's timeout value and decreases the
internet attack based defense tool that has four maximum allowed request per this timeout, until these
components, the acronym “ESOBSTEB” came from the two values reach zero. Once the values of the timeout
four components which are: enhanced SIP proxy server and the maximum allowed requests reach zero, EB
and an enhanced application layer stateless firewall, component disables KeepAlive feature of SIP connection.
outer attack blocking (OB) component, service traceback The framework will be simulated with practical
architecture (STBA) and entropy based (EB) experiments of AntiDDoS_Shield system on NS2
component. The increasing usage of SIP servers for simulation environment.
multimedia transmissions has resulted in a high and
frequent experience of Distributed Denial of Service Keywords:- ESOBSTEB SIP- DDoS Defense Tool,
(DDoS) attacks. The drive to curb the menace caused by Enhanced SIP Proxy Server, Outer Attack Blocking (OB)
Distributed denial of service (DDoS) attack which are Component, Service Traceback Architecture (STBA) and
threats resulting in huge damages on legitimate Internet Entropy based (EB) Component
usage and civil security in the last decade has been the
objective of most network security researchers from I. INTRODUCTION
academia, industry and also governmental organizations.
This research study intend to fix this gap by first The popularity and sensitive information transactions
identifying and detecting the Flood based SIP-App being processed on the internet have attracted the good, the
(D)DoS attacks and create a defense mechanisms against bad and the ugly. However, the complexity and diversity of
them using the four components. The enhanced SIP the attacks conducted on the internet have grown
proxy server updates the firewall with the IP addresses considerably. Denial of Service (DoS) attack and
of legitimate users and alerts the firewall when a Distributed Denial of Service (DDoS) attacks are two of the
legitimate user IP address expires and should be most harmful threats to network functionality. These
removed from the list. The second component of the malicious attacks have caused tremendous loss by impairing
framework that will be deployed at the edge router the functionalities of the networks. With increase in
compares and examines the IP source of the incoming dependency on web technologies, a commensurate increase
request according to its blacklist database table and has been noted in destructive attempts to disrupt the
blocks or forwards it to the next part of the framework. essential web technologies, hence leading to service failures.
The third part of the framework validates whether the The increasing usage of SIP servers for multimedia
incoming request is launched by a human (real web transmissions has resulted in a high and frequent experience
browser) or by an automated tool (bots) and it traces of Distributed Denial of Service (DDoS) attacks, with the
back the incoming request in order to find out the true ability to overwhelm a web server, thereby slowing it down
IP attacking source. The forth part of the framework and potentially taking it down completely. Some researchers
detects anomalies in SIP network traffic and to also cite the need for a framework that will assist in the
differentiate whether it is high rate DDoS (HR-DDoS) selection of the right training data set for analyzing the
attacks or flash crowd (FC) attacks. In case EB classifies different type of attack irregularities expected in a DDoS
that the incoming SIP network traffic is high rate SIP attack (Chen et al, 2009; Modi et al, 2013).
DoS/DDoS (HR-DDoS) attacks, it blocks it immediately.
Whereas if EB classifies that the incoming SIP network
traffic is flash crowd (FC) attacks, it decreases the

IJISRT23JAN987 www.ijisrt.com 2532

Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
II. RELATED LITERATURES (Sambath et al. 2016). In a typical SIP session, the SIP
handles the session with initiation, call parameters etc. next
Over the years there have been several detection and the RTP (real time transport protocol) encodes the voice
mitigation techniques proposed by researchers to counter signal into digital voice data and sends it over the network
VoIP DDoS attack. Some of them are Wavelet approach (Li using TCP, UDP or some other protocol that runs on top of
and Li, 2009), which mainly detects DoS attacks, they do IP. Making calls to a regular telephone requires a special
not scan signatures, although this approach, it depends on gateway that connects the VoIP traffic to the regular phone
statistical traffic pattern before detection. It provides less network.
efficiency in attack detection and also influenced on wavelet
basis functions. Entropy based approach detects DoS/DDoS In DDoS attack, the various layers of the OSI model
attacks; they do not scan signatures, are more efficient but come to play, but special emphasis is to be laid upon the
are slow (Tritilanunt et al., 2010). Another major problem in seventh layer, the application layer. The seventh layer that
Entropy method is that the attacking method is modified by facilitates programs such as web browsers, email services,
the attacker by knowing the detection strategy. Sketch and and photo applications in sending network communications,
Hellinger distance approach both detects and prevent is a main target for DDoS attack because it is the protocols
DoS/DDoS attacks, using this method, the attack traffic is that directly service users (e.g., HTTP, FTP, IMAP, Telnet,
scanned for signature. This method is less efficient, slow SMPT/POP, IRC, XMPP, SSH etc.) and support protocols
and cannot accurately detect attack (Tang et al., 2012). that underpin various system functions (e.g., DNS, SNMP,
Sunshine framework both detects and prevents DoS/DDoS BOOTP/DHCP, TLS/SSL, SIP, RTP, NTP etc.). The
attacks. It scan signatures; detection time is moderate and security threats have not left SIP servers and VoIP
more efficient (Tang et al., 2012; Hoffstadt, et al., 2014). environment.
Recurrence Quantification based approach mainly both
detects DoS/DDoS attacks but does not scan signatures. The In recent times, there have been reported DDoS attacks
attack detection and mitigation time is slow with less on end-users of computer systems. DDoS attacks are usually
accuracy. Furthermore, this method involves more performed by a group of network of computers together to
complicated framework (Jeyanthi et al., 2014). Evidently, flood the servers of end users with huge amount of
the shortfalls in the different approaches to counter SIP- illegitimate packets request which the server cannot handle
App-DDoS attacks still enable the attacks to grow rapidly, hence leading to denial of service. In a typical DoS attack
harder to detect and cause severe problems in accessing a scenario there are usually three parties - the attacker, the
particular on-line service. zombie and the victim. The attacker is the computer that
issues commands to order the zombie which is a
SIP (Session Initiation Protocol) is an application layer compromised computer to start the DoS attack. The zombie
protocol which creates, modifies and terminates sessions in then starts the DoS attack by sending tremendous packets to
VoIP communications (see figure 1). VoIP is a new the victim which is the computer that provides services to
generation international calling system with video and the users.
multimedia file accessing along with the voice calling

Fig 1 SIP Architecture for VoIP

(Source: Sambath et al. 2016)

IJISRT23JAN987 www.ijisrt.com 2533

Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165

Radware (2014) in 2011 claimed that application layer (legitimate) users in order to give them priority
attacks are prevalent, for 46 % of cyber attacks were at the handling.
network while 56% were targeted at applications. Within the  The second part of the framework will be an outer
application layer attack, SIP was 2%, SMTP (9%), HTTPS attack blocking (OB) component, which would be
(13%), HTTP (21%) and DNS (9%). In 2012, Prolex’s deployed at the edge router, since it is the most nearest
annual report mentioned a 42.97 % growth in layer seven point to the IP attacking source. It will first compare
DdoS attacks. Later, quarterly reports by Prolex show a and examine the IP source of the incoming request
definite tendency of increasing popularity, particularly of according to its blacklist database table and blocks or
SIP DDoS attacks in the period from April 2012 to June forwards it to the next part of the framework.
2013.  The third part of the framework is service traceback
oriented architecture (STBOA) component that would
III. PROBLEM DEFINITION be designed to validate whether the incoming request is
launched by a human (real web browser) or by an
 The quest to counter SIP-App-DDos attack continues to automated tool (bots).
look discouraging despite the enormous researches that  The forth part of the framework shall be entropy based
have been undertaken, for there is no standardized (EB) component, which would be employed to detect
frame work that will act as a yardstick for the design of anomalies in SIP network traffic and to differentiate
an efficient SIP-App-Dos attack within acknowledged whether it is high rate DDoS (HR-DDoS) attacks or
environmental factors. flash crowd (FC) attacks.
 Some researchers use Intrusion Detection Approach that  The framework would be evaluated using simulation of
already gives a wrong description of the nature of SIP- practical experiments of AntiDDoS_Shield system,
App-DDos attacks, for this approach, does not enable which would be developed based on the Framework,
all malformed messages to be discarded before they and the analysis of corresponding experimental results.
reach the destination. Some others use SNORT which The simulation environment will be constructed by
cannot detect new anomalies. using virtualization technology to include all of the
 Using Entropy Detection Schemes has enabled attackers needed vectors and players.
to identify the detection strategies.  The Quagga and iproute2 routing suites software would
 The volume-based techniques can only detect high be employed on the edge router at the entrance of the
volume traffic which can be from legitimate users, network. The main objective of these two tools is to
neglecting short-term DoS attacks. But huge volumetric permit or deny network traffic routing to inside and
traffic delivered by legitimate users to the server is outside of the network.
undistinguished from higher traffic of bogus messages
delivered by the attackers. V. THE PROPOSED DEFENSE FRAMEWORK
 Approaches using anomaly-based scheme provides only FOR COUNTERING FLOOD BASED SIP-APP
a small number of detection rules, such as detecting (D)DOS ATTACK
orphan RTP flow and verifying IP source address. To
enhance the anomaly approach, there is need to have a The defense framework for Countering Flood based
framework that formulate rules for stateful detection on SIP-App (D)DoS Attack will be traffic volume limit based
SIP. defense framework. We will explain the framework more
 There is no specific framework that guide researchers with operational architecture, the traffic volume architecture
into building systems within SNORT domain that uses and the conceptual architecture.
the source SIP addresses to profile traffic thus detecting
the flooding attacks and identifying the offending SIP  Operational Architecture of Framework for Countering
messages efficiently. Flood based SIP-App (D)DoS Attack
 It is evident that existing techniques are insufficient in As shown in figure 2 has two active domains which
curbing SIP-App-DDos attacks. Presently, there exists are the core networks and the edge networks. A core
no framework with the corpus parameters or metrics for network usually consists of high-speed core routers, this is
defining the comprehensive nature of SIP-App-DDos the backbone of network which is in charge of transferring
attacks that will enhance detection. traffics among multiple edge networks (this architecture has
four edge networks). The edge network is the second
IV. RESEARCH OBJECTIVES domain which connects the core network through edge
routers. Figure 1 shows that our Flood based SIP-App
 The framework will comprise of four subsequent (D)DoS defense system is deployed in each edge router of
component parts for Preventing, detecting and the protected network. Whenever distributed denial of
countering SIP DoS/DDoS Flooding attacks. service (DDoS) attack traffic is being transmitted across the
 The first component of the framework would consist of edge network towards the victims, the defense system in the
a security enhanced SIP proxy server and an enhanced victim-end edge network can easily detect the attack
application layer stateless firewall to maintain both the because attack traffic creates a larger set of anomalies at the
firewall and the SIP server the addresses of known victim end than at the source ends but it is impossible for the
defense system to react to the attacks in the victim-end edge

IJISRT23JAN987 www.ijisrt.com 2534

Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
network when the attacks are heavy. From the traffic enough resources with relatively low traffic. The traffic
volume architecture (figure 2) and the conceptual volume based DDoS detection techniques detect DDoS
architecture of the framework (figure 3), we proposed a attacks in the victim-end edge network by recognizing
second line of action with a defense system in the source- anomalous changes of average traffic volumes at the
end edge networks to react to the attacks. In our framework, victims’ edge routers. The two architectures show more of
the detection of and response to DDoS attacks happen at the the activities of the defense framework.
source end edge routers. The source end edge router has

Fig 2 Operational Architecture of Framework for Countering Flood based SIP-App (D)DoS

 Traffic Volume Architecture of Framework for actions which are: the action for setting up the traffic rate
Countering Flood based SIP-App (D)Dos limit, the action for decreasing the traffic rate limit, the
As shown in figure 3 illustrates the overall operation action for increasing the traffic rate limit and the action for
of defending in the event of a Flood based SIP-App DDoS canceling the traffic rate limit). When the volume of attack
attack. It has the victim end and source end part of the traffic increases aggressively, an update message will be
defense. It also has four activities at the victim end which sent to the source end again to decrease the traffic rate limit
are; action of detecting flood based attack, the action of value. Based this message, the source-end defense system
observing the aggressive network, the action of observing will decrease the traffic rate limit value exponentially. After
stable network and the action of detecting the end of flood the traffic rate at the victim end has returned to normal for a
based attacks. There are alert messages between a victim while, an update message will be sent to the source end
end and a source end include three types: Request messages, asking it to increase the rate limit value linearly. Finally, if
Update messages, and Cancel messages. These messages are the defense system has not found any anomalous changes in
used in different phases of defeating a Flood based SIP-App the victim end since the update message was sent, a cancel
DDoS attack. At the beginning of an attack, a request message will be sent to the source end to remove the traffic
message from a victim end will provide a suggested rate of rate limit at that point.
traffic limit value to a source end (it has four network

IJISRT23JAN987 www.ijisrt.com 2535

Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165

Fig 3 Traffic Volume Architecture of Framework for Countering Flood based SIP-App (D)DoS

 Conceptual Architecture of Framework for Countering These four components of the defense system are
Flood based SIP-App (D)DoS found in the victim end defense system and source end
Is shown in figure 4. This architecture has four defense system. The entropy based (EB) component of the
components in the two active ends, which are: flamework would be employed to detect anomalies in SIP
network traffic and to differentiate whether it is high rate
 The SIP proxy server and the stateless firewall, DDoS attacks or flash crowd (FC) attacks. After analyzing
 The outer attack blocking components, the information from a victim edge router (Router 2), the
 Service trace back Architecture and detection component will report the ongoing DDoS attack to
 Entropy based component the service trace back component.

IJISRT23JAN987 www.ijisrt.com 2536

Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165

Fig 4 Conceptual Architecture of Framework for Countering Flood based SIP-App (D)DoS

The service trace back component implements the Fast triggered in the source-end edge network after receiving an
Internet Trace back technique by grouping enough packets alert message from the defense system of the victim-end
from the source edge router (Router 1), the trace back edge network to filter all malicious traffic. The Conceptual
component will also get the IP address of Router 1. The architecture of framework for Countering Flood based SIP-
recorded IP address of router 1 will be sent to the outer App (D)DoS demonstrated the detection and response to
attack blocking (OB) component of the framework which Flood based SIP-App (D)DoS and the interaction of the
has being deployed at the edge router 2, since it is the most internet with the four components of the framework.
nearest point to the IP attacking source. It will first compare
and examine the IP source of the incoming request VI. CONCLUSION
according to its blacklist database table. Then it blocks or
forwards it to the next part of the framework (SIP proxy This research work will provides insight towards the
server) based on whether the incoming request's IP source is development of a An aggressive defense framework for
listed in blacklist database table at the edge router or not. In detecting and Countering Flood based SIP-App (D)DoS
case this IP source of the incoming request is not listed on attacks on the internet, a framework that identifies and
blacklist database table, it forwards it to the next part of the determine the corpus parameters in a DDoS detection.
framework. Otherwise, if it is listed on the blacklist database algorithm will assist in enabling security researcher design
table, OB component blocks it immediately, and host preventive algorithms that are robust in nature in protecting
unreachable message will be sent to the caller. This layer systems and curbing attacks before occurrence. It provides a
provides a helpful service to the web server for all blocking novel alternative protective framework to protect web
processes. Finally, an alert message which carries attack applications from all sorts of SIP-App DDDoS attacks, such
information and traffic rate limits is sent to the source-end as high rate DDoS (HR-DDoS) and flash crowd (FC). In
defense system. Based on this information, the service trace addition, it is quite able to validate and trace back the real
back control components at the source end set up the traffic attacking IP sources and block them at the edge router by
rate limit for the traffic sent to victim in Router 2. To drop the outer attack blocking components.
all attack packets, the entropy based components will be

IJISRT23JAN987 www.ijisrt.com 2537

Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
REFERENCES

[1]. Chen, R.-C., Cheng, K.-F., Chen, Y.-H., & Hsieh, C.-
F. (2009). Using rough set and support vector
machine for network intrusion detection system. First
Asian conference on intelligent information and
database systems, April 1–3. IEEE.
doi:10.1109/ACIIDS.2009.59
[2]. Li M and Li M (2009). A new approach for detecting
DDoS attacks based on wavelet analysis. 2nd IEEE
International Congress on Image and Signal
Processing (CISP '09): 1-5. https://doi.org
/10.1109/CISP.2009.5300903
[3]. Hoffstadt D, Rathgeb E, Liebig M, Meister R, Rebahi
Y and Thanh TQ (2014). A comprehensive
framework for detecting and preventing VoIP fraud
and misuse. The IEEE International Conference on
Computing, Networking and Communications
(ICNC): 807-813. https://
doi.org/10.1109/ICCNC.2014.6785441
[4]. Jeyanthi N, Thandeeswaran R and Vinithra J (2014).
Rqa based approach to detect and prevent ddos
attacks in voip networks. Cybernetics and
Information Technologies, 14(1): 11-24.
[5]. Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel,
A., and Rajarajan, M. (2013). A survey of intrusion
detection techniques in cloud. Journal of Network
and Computer Applications, 36(1), 42–57.
[6]. Prolexic. (2013). Quarterly Global DDoS Attack
Report Q3 2013. Hollywood: Prolexic.
[7]. Prolexic. (2014). Quarterly Global DDoS Attack
Report Q1 2014. Hollywood: Prolexic.
[8]. Radware (2014). Defense Flow – SDN Based
Network DDoS, Application DoS and APT
Protection . Available at:
http://www.radware.com/Solutions/SDN/
[9]. Sambath N., Selvakumar M. and Yu-Beng L. (2016).
DDoS attacks in VoIP: a brief review of detection
and mitigation techniques. International Journal of
Advanced and Applied Sciences, 3(9) 2016, Pages:
90-96
[10]. Tang J, Cheng Y and Hao Y (2012, March).
Detection and prevention of SIP flooding attacks in
voice over IP networks. The 2012 IEEE Proceedings
In Narayanan et al/ International Journal of
Advanced and Applied Sciences, 3(9) 2016, Pages:
90-96
[11]. Tritilanunt S, Sivakorn S, Juengjincharoen C and
Siripornpisan A (2010). Entropy-based input-output
traffic mode detection scheme for DOS/DDOS
attacks. The 2010 IEEE International Symposium on
Communications and Information Technologies
(ISCIT): 804-809. https://doi.org/
10.1109/ISCIT.2010.5665097

IJISRT23JAN987 www.ijisrt.com 2538