Prevention of denial of service (DoS) attacks on session initiation protocol (SIP)-based systems using return routability check filtering

US 8,966,619 B2
Filed: 11/08/2006
Issued: 02/24/2015
Est. Priority Date: 11/08/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an attack on a Session Initiation Protocol (SIP)-based device; and

applying a return routability check filter to the attack, wherein applying the return routability check filter includes;

receiving a first SIP request message from a source;

storing, in a content-addressable memory (CAM) table, an identifier of the source indicated in the first SIP request message;

transmitting a challenge to the source to authenticate the source;

receiving additional SIP request messages;

determining, for each of the additional SIP request messages, if the CAM table includes an entry that matches an identifier of the corresponding additional SIP request message;

determining, for each of the additional SIP request messages that includes an identifier that matches an entry in the CAM table, if the corresponding additional SIP request message includes a correct response to the challenge;

blocking the additional SIP request messages that include an identifier that matches an entry in the CAM table and do not include the correct response to the challenge; and

removing the identifier of the source from the CAM table when one of the additional SIP request messages includes an identifier that matches an entry in the CAM table and includes the correct response to the challenge.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device receives an attack on a Session Initiation Protocol (SIP)-based device, determines a type of the attack, and applies, based on the determined type of the attack, a return routability check filter to the attack.

88 Citations

View as Search Results

22 Claims

1. A method comprising:
- receiving an attack on a Session Initiation Protocol (SIP)-based device; and
  
  applying a return routability check filter to the attack, wherein applying the return routability check filter includes;
  
  receiving a first SIP request message from a source;
  
  storing, in a content-addressable memory (CAM) table, an identifier of the source indicated in the first SIP request message;
  
  transmitting a challenge to the source to authenticate the source;
  
  receiving additional SIP request messages;
  
  determining, for each of the additional SIP request messages, if the CAM table includes an entry that matches an identifier of the corresponding additional SIP request message;
  
  determining, for each of the additional SIP request messages that includes an identifier that matches an entry in the CAM table, if the corresponding additional SIP request message includes a correct response to the challenge;
  
  blocking the additional SIP request messages that include an identifier that matches an entry in the CAM table and do not include the correct response to the challenge; and
  
  removing the identifier of the source from the CAM table when one of the additional SIP request messages includes an identifier that matches an entry in the CAM table and includes the correct response to the challenge.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the identifier of the source is an internet protocol (IP) address and the identifier of each of the additional SIP request messages is an IP address.
  - 3. The method of claim 1, wherein the identifier of the source is a from-URI and the identifier of each of the additional SIP request messages is a from-URI.
  - 4. The method of claim 1, wherein applying a return routability check filter includes:
    - using a SIP digest authentication to challenge the source.
  - 5. The method of claim 1, wherein applying the return routability check filter further includes:
    - removing the identifier of the source from the CAM table after a time period if none of the additional SIP request messages includes the correct response to the challenge.
  - 6. The method of claim 5, further comprising:
    - blocking incoming emergency calls that specify identical location information at a substantially identical time interval;
      
      blocking incoming emergency calls that originate at an identical source IP address at a given time interval;
      
      orblocking incoming emergency calls coming from unauthorized subnets that do not match a pre-configured location of a protected network.
  - 7. The method of claim 5, wherein blocking the additional SIP request messages includes preventing a forwarding of the additional SIP request messages to a SIP proxy or server to reduce a load on the SIP proxy or server.
  - 8. The method of claim 1,wherein the first SIP request message includes an INVITE message and the additional SIP request messages include additional INVITE messages;
    - andwherein blocking the additional SIP request messages includes dropping the additional INVITE messages.

9. A system comprising:
- a Session Initiation Protocol (SIP) proxy or server; and
  
  a firewall to receive an attack on the SIP proxy or server and to apply a return routability check filter to the attack, the firewall including;
  
  a receiver to receive a first SIP request message from a source and to receive additional SIP request messages;
  
  a transmitter to send a challenge to authenticate the source; and
  
  a content-addressable memory (CAM) to store a CAM table of identifiers of SIP request messages;
  
  a processor tostore an identifier, indicated in the first SIP request message of the source, in the CAM table,determine, for each of the additional SIP request messages, if the CAM table includes an entry that matches an identifier included in the corresponding additional SIP request message;
  
  determine, for each of the additional SIP request messages that includes an identifier that matches an entry in the CAM table, if the corresponding additional SIP request message includes a correct response to the challenge;
  
  block the additional SIP request messages blocking that include an identifier that matches an entry in the CAM table and do not include the correct response to the challenge, andremove the identifier of the source from the CAM table when one of the additional SIP request messages includes an identifier that matches an entry in the CAM table and includes the correct response to the challenge.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The system of claim 9, wherein the identifier of the source is an Internet Protocol (IP) address and wherein the identifier of each of the additional SIP request messages is an IP address.
  - 11. The system of claim 9, wherein the identifier of the source is a from-URI and the identifier of each of the additional SIP request messages is a from-URI.
  - 12. The system of claim 9, wherein the attack comprises a denial of service (DoS) attack.
  - 13. The system of claim 12, wherein the DoS attack includes spoofed SIP request messages.
  - 14. The system of claim 9, wherein the processor removes the identifier of the source from the CAM table after a time period if the processor determines that none of the additional SIP request messages includes the correct response to the challenge.
  - 15. The system of claim 9, wherein the processor is configured to use SIP digest authentication to challenge the source.
  - 16. The system of claim 9,wherein the first SIP request message includes an INVITE message and the additional SIP request messages include additional INVITE messages;
    - andwherein the processor is configured to drop the additional SIP INVITE messages.
  - 17. The system of claim 9, wherein the processor is configured to:
    - block incoming emergency calls that specify identical location information at a substantially identical time interval;
      
      block incoming emergency calls that originate at an identical source IP address at a given time interval;
      
      orblock incoming emergency calls coming from unauthorized subnets that do not match a pre-configured location of a protected network.
  - 18. The system of claim 9,wherein the processor is configured to prevent a forwarding of the additional SIP request messages to the SIP proxy or server to reduce a load on the SIP proxy or server.

19. A device comprising:
- a receiver to receive a first Session Initiation Protocol (SIP) request message from a source and to receive subsequent additional SIP request messages; and
  
  a transmitter to send a message to the Internet Protocol (IP) address identified in the first SIP request message for authenticating the source;
  
  a content addressable memory (CAM) to store a CAM table of source IP addresses of SIP request messages; and
  
  a processor tostore the source IP address identified in the first SIP request message in the CAM table,determine, for each of the additional SIP request messages, if the CAM table includes an entry that matches a source IP address indicated in the corresponding additional SIP request message,determine, for each of the additional SIP request messages that includes a source IP address that matches an entry in the CAM table, if the corresponding additional SIP request message includes a correct response to the challenge;
  
  remove the IP address of the source from the CAM table when one of the additional SIP request messages includes a source IP address that matches an entry in the CAM table and includes the correct response to the challenge.
- View Dependent Claims (20, 21, 22)
- - 20. The device of claim 19, wherein the device includes:
    - a firewall;
      
      ora SIP proxy and a firewall.
  - 21. The device of claim 19, wherein the additional SIP request messages comprise a denial of service (DoS) attack.
  - 22. The device of claim 19, wherein the processor removes the IP address of the source after a period of time if none of the additional SIP request messages include the correct response to the challenge.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University), Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Ormazabal, Gaston S., Schulzrinne, Henning G., Yardeni, Eilon, Patnaik, Somdutt B.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
VICTORIA, NARCISO F

Application Number

US11/557,740
Publication Number

US 20080222724A1
Time in Patent Office

3,030 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Prevention of denial of service (DoS) attacks on session initiation protocol (SIP)-based systems using return routability check filtering

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

88 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Prevention of denial of service (DoS) attacks on session initiation protocol (SIP)-based systems using return routability check filtering

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links