System and method for testing network firewall for denial-of-service (DoS) detection and prevention in signaling channel

US 8,635,693 B2
Filed: 02/08/2012
Issued: 01/21/2014
Est. Priority Date: 06/29/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method comprising:

transmitting Session Initiation Protocol (SIP) request messages to a SIP proxy device,wherein transmitting the SIP request messages includes transmitting, during a first time period, non-attack SIP request messages and simulated attack SIP request messages,wherein the non-attack SIP request messages are for establishing communication sessions through a network perimeter protection device and wherein the simulated attack SIP request messages include simulated spoofed source network addresses;

authenticating, during a first portion of the first time period and during a second portion of the first time period different than the first portion, the SIP request messages, wherein authenticating the SIP request messages includes determining which of the SIP request messages do not include spoofed source network addresses;

blocking, during the first portion of the first time period but not during the second portion of the first time period, unauthenticated SIP request messages having a source address from which a SIP request message was already received;

measuring, by a processor, a first performance associated with the SIP proxy device during the first portion of the first time period while authenticating and blocking; and

measuring, by the processor, a second performance associated with the SIP proxy device during the second portion of the first time period while authenticating and not blocking.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may measure a first performance, associated with legitimate traffic without attack traffic, of a Session Initiation Protocol (SIP)-based protection device implementing authentication; measure a second performance, associated with legitimate traffic and attack traffic, of the SIP-based protection device implementing authentication; and measure a third performance, associated with legitimate traffic and attack traffic, of the SIP-based protection device implementing authentication and return routability filtering. The device may also measure a first performance associated with legitimate traffic of a Session Initiation Protocol (SIP)-based protection device implementing rate-limiting filtering; measure a second performance associated with legitimate traffic and attack traffic of the SIP-based protection device implementing scheme filtering; and measure a third performance associated with legitimate traffic of the SIP-based protection device not implementing rate-limiting filtering without attack traffic.

91 Citations

View as Search Results

21 Claims

1. A computer-implemented method comprising:
- transmitting Session Initiation Protocol (SIP) request messages to a SIP proxy device,wherein transmitting the SIP request messages includes transmitting, during a first time period, non-attack SIP request messages and simulated attack SIP request messages,wherein the non-attack SIP request messages are for establishing communication sessions through a network perimeter protection device and wherein the simulated attack SIP request messages include simulated spoofed source network addresses;
  
  authenticating, during a first portion of the first time period and during a second portion of the first time period different than the first portion, the SIP request messages, wherein authenticating the SIP request messages includes determining which of the SIP request messages do not include spoofed source network addresses;
  
  blocking, during the first portion of the first time period but not during the second portion of the first time period, unauthenticated SIP request messages having a source address from which a SIP request message was already received;
  
  measuring, by a processor, a first performance associated with the SIP proxy device during the first portion of the first time period while authenticating and blocking; and
  
  measuring, by the processor, a second performance associated with the SIP proxy device during the second portion of the first time period while authenticating and not blocking.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein measuring the first performance or measuring the second performance includes increasing a rate of transmitting the SIP request messages until the SIP proxy cannot establish additional sessions as a result of the SIP proxy being overloaded.
  - 3. The computer-implemented method of claim 1, wherein measuring the first performance or measuring the second performance includes increasing a rate of transmitting the SIP request messages until the SIP proxy cannot establish additional sessions because the SIP proxy is overloaded as a result of the SIP proxy determining which of the SIP request messages do not include spoofed source addresses or as a result of the SIP proxy not being able to process the SIP request messages.
  - 4. The computer-implemented method of claim 1, wherein measuring the first performance or measuring the second performance includes increasing a rate of transmitting the SIP request messages until the network perimeter protection device cannot filter and forward packets at a predetermined rate.
  - 5. The computer-implemented method of claim 1,wherein transmitting the SIP request messages includes transmitting, during a second time period different than the first time period, the non-attack SIP request messages while not transmitting the simulated attack SIP request messages, wherein the method further comprises:
    - authenticating, during the second time period, the SIP request messages, wherein authenticating the SIP request messages includes determining which of the SIP request messages do not include spoofed source network addresses; and
      
      measuring, by the processor, a third performance associated with the SIP proxy device during the second time period while authenticating.
  - 6. The computer-implemented method of claim 5, wherein transmitting the SIP request messages includes transmitting, during a third time period different than the first time period and the second time period, the non-attack SIP request messages while not transmitting the simulated attack SIP request messages, wherein the method further comprises:
    - authenticating, during the third time period, the SIP request messages while not blocking unauthenticated SIP request messages having a source address from which a SIP request message was already received, wherein authenticating the SIP request messages includes determining which of the SIP request messages do not include spoofed source network addresses; and
      
      measuring, by the processor, a fourth performance associated with the network perimeter protection device during the third time period.
  - 7. The computer-implemented method of claim 1, further comprising:
    - determining a number of blocked non-attack SIP request messages; and
      
      determining a value indicative of a false positive rate based on the number of blocked non-attack SIP request messages and the first performance.
  - 8. The computer-implemented method of claim 1, further comprising:
    - determining a number of simulated attack SIP request messages not blocked; and
      
      determining a value indicative of a detection rate based on the number of simulated attack SIP request messages not blocked and the first performance.

9. A computer-implemented method comprising:
- transmitting Session Initiation Protocol (SIP) messages to a SIP proxy device,wherein transmitting the SIP messages includes transmitting, during a first time period, non-attack SIP request messages and simulated attack SIP messages, and transmitting, during a second time period different than the first time period, the non-attack SIP request messages without the simulated attack SIP messages,wherein the non-attack SIP request messages are for establishing communication sessions through a network perimeter protection device and wherein the simulated attack SIP messages include a flood of out-of-state SIP messages;
  
  rate-limit filtering, during both the first time period and the second time period, the SIP messages, wherein rate-limit filtering includes limiting a number of SIP request or response messages to a particular rate;
  
  measuring, by a processor, a first performance associated with the SIP proxy device during the first time period while rate-limit filtering; and
  
  measuring, by the processor, a second performance associated with the SIP proxy device during the second time period while rate-limit filtering.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-implemented method of claim 9, wherein transmitting SIP messages includes transmitting, during a third time period different than the first time period and the second time period, the non-attack SIP request messages without the simulated attack SIP messages, the method further comprising:
    - measuring, by the processor, a third performance associated with the SIP proxy device during the third time period while not performing rate-limit filtering.
  - 11. The computer-implemented method of claim 10, wherein transmitting SIP messages includes transmitting, during a fourth time period different than the first time period, the second time period, and the third time period, both the non-attack SIP request messages and the simulated attack SIP messages, the method further comprising:
    - measuring, by the processor, a fourth performance associated with the SIP proxy device during the fourth time period while not performing rate-limit filtering.
  - 12. The computer-implemented method of claim 9, further comprising:
    - determining a number of non-attack SIP request messages blocked by rate-limit filtering; and
      
      determining a value indicative of a false positive rate based on the number of non-attack SIP request messages blocked and the first performance.
  - 13. The computer-implemented method of claim 9, further comprising:
    - determining a number of simulated attack SIP messages not blocked by rate-limit filtering; and
      
      determining a value indicative of a detection rate based on the number of simulated attack SIP messages not blocked and the first performance.
  - 14. The computer-implemented method of claim 9, wherein measuring the first performance or measuring the second performance includes increasing a rate of transmitting the SIP messages until the SIP proxy cannot establish additional sessions as a result of the SIP proxy being overloaded.
  - 15. The computer-implemented method of claim 9, wherein measuring the first performance or measuring the second performance includes increasing a rate of transmitting the SIP messages until the SIP proxy cannot establish additional sessions as a result of a processor in the SIP proxy not being able to process the SIP messages.
  - 16. The computer-implemented method of claim 9, wherein measuring the first performance or measuring the second performance includes increasing a rate of transmitting the SIP messages until the network perimeter protection device cannot filter and forward packets at a predetermined rate.

17. A system comprising:
- a transmitter to transmit Session Initiation Protocol (SIP) request messages to a SIP proxy device,wherein the transmitter transmits, during a first time period, non-attack SIP request messages and simulated attack SIP request messages, wherein the non-attack SIP request messages are for establishing communication sessions through a network perimeter protection device and wherein the simulated attack SIP request messages include simulated spoofed source network addresses; and
  
  a processor to authenticate, during a first portion of the first time period and during a second portion of the first time period different than the first portion, the SIP request messages, wherein the processor determines which of the SIP request messages do not include spoofed source network addresses;
  
  wherein the processor is configured to determine to block, during the first portion of the first time period but not during the second portion of the first time period, unauthenticated SIP request messages having a source address from which a SIP request message was already received;
  
  wherein the processor is configured to measure a first performance associated with the SIP proxy device during the first portion of the first time period while authenticating and blocking, and to measure a second performance associated with the SIP proxy device during the second portion of the first time period while authenticating and not blocking.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system of claim 17, wherein the transmitter is configured to increase a rate of transmitting the SIP request messages, and wherein the processor is configured to measure the first performance or the second performance based on the SIP proxy not being able to establish additional sessions as a result of the SIP proxy being overloaded.
  - 19. The system of claim 17, wherein the transmitter is configured to increase a rate of transmitting the SIP request messages, and wherein the processor is configured to measure the first performance or the second performance based on the SIP proxy not being able to establish additional sessions because the processor is overloaded as a result of the processor determining which of the SIP request messages do not include spoofed source addresses or as a result of the processor not being able to process the SIP request messages.
  - 20. The system of claim 17, wherein the transmitter is configured to transmit, during a second time period different than the first time period, the non-attack SIP request messages while not transmitting the simulated attack SIP request messages,wherein the processor is configured to authenticate, during the second time period, the SIP request messages, wherein the processor determines which of the SIP request messages do not include spoofed source network addresses;
    - andwherein the processor is configured to measure a third performance associated with the SIP proxy device during the second time period.
  - 21. The system of claim 20, wherein the transmitter is configured to transmit, during a third time period different than the first time period and the second time period, the non-attack SIP request messages while not transmitting the simulated attack SIP request messages,wherein the processor is configured authenticates, during the third time period, the SIP request messages while not blocking unauthenticated SIP request messages having a source address from which a SIP request message was already received, wherein the processor authenticates by determining which of the SIP request messages do not include spoofed source network addresses;
    - andwherein the processor measures a fourth performance associated with the network perimeter protection device during the third time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Ormazabal, Gaston S., Schulzrinne, Henning G., Nagpal, Sarvesh, Yardeni, Eilon
Primary Examiner(s)
Hailu, Teshome

Application Number

US13/368,858
Publication Number

US 20120137357A1
Time in Patent Office

713 Days
Field of Search

726/11, 726/22, 713/153
US Class Current

726/22
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/08   for authentication of entit...

H04L 63/1458   Denial of Service

H04L 65/1079   of unsolicited session atte...

H04L 65/1104   Session initiation protocol...

System and method for testing network firewall for denial-of-service (DoS) detection and prevention in signaling channel

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

91 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

System and method for testing network firewall for denial-of-service (DoS) detection and prevention in signaling channel

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others