A novel design of a VoIP firewall proxy to mitigate SIP-based flooding attacks

This paper proposes a novel method to address the protection necessary to mitigate flooding attacks in VoIP networks which can produce rapid saturation of a firewall and crippling of a VoIP switch. The paper proposes a stateless firewall nonce checking mechanism as an extension to the existing (stateful) SIP digest authentication. This combination aims to form a more secure and flood-resistant authentication scheme for SIP-based VoIP systems. The proposed mechanism has been implemented on a Linux iptables firewall and the experimental results demonstrate proof-of-concept showing that by incorporating this mechanism it is possible to provide substantially improved SIP-based flooding mitigation. Copyright © 2008, Inderscience Publishers.