Overloading vulnerability of VoIP networks

Internet is vulnerable to overloading caused by flash crowds and distributed denial-of-service (DDoS) attacks. Recently voice over IP (VoIP), an Internet-based service is experiencing a phenomenal growth. As its deployment spreads, VoIP systems are likely to become attack targets, of which flooding lists high, perhaps due to its simplicity and the abundance of tool support. The DDoS attacks and flash crowds degrade the performance of call processing server to the point where it becomes sluggish and even unresponsive. The network administrator´s dilemma is that how to give a differential treatment to malicious and legitimate call requests that differ in intent, but not in content. In this paper, we show that DDoS attacks and flash crowds, while similar in the message structure and the number of INVITEs they generate, exhibit different traffic patterns and hence making them distinguishable. We also introduce a new entropy-based approach to detect those DDoS attacks that masquerade as flash crowds. Our approach is based on an observation that the creation of malicious sessions has certain effects on entropy of the call durations; hence, a change in the entropy provides an important clue for mimicry attack detection. As an overloading preventive measure, we exploit the SIP protocol´s inbuilt reliability mechanism and exponential backoff timer values to regulate and distinguish legitimates call requests from the spoofed ones.