Volte网络下的SIP攻击检测和分析

为满足中国移动语音业务需求,中国移动进行Volte(Voice over LTE)商用网络建设,Volte使用SIP协议的IMS网络(IP multimedia subsystem).IMS网络的引入将电信运营商进入到互联网时代,互联网典型的洪泛攻击也将成为IMS中不可忽视的威胁之一.本文讨论IMS网络中的SIP安全性问题,分析SIP攻击并提出如何取检测这种攻击.     

IMS网络拓扑隐藏及其加密算法的研究

IMS是3G系统中核心网的一部分,它通过由会话初始协议(SIP)提供的会话性能,建立起端到端的会话.为了保证IMS网络中信息不被泄露,加入拓扑隐藏功能,通过加密SIP消息中的一些内部IP地址和其他网络信息,帮助保护IMS网络拓扑,实现网络的安全.IPSec ESP为所有SIP信令提供机密性保护, 128 bit加密块和密钥的CBC模式用于网络隐藏的加密算法,随机的初始化向量(IV)被用于每一次加密,采用AES算法来实现.     

基于IMS网络拓扑隐藏机制的加密算法的研究

IMS是3G系统中核心网的一部分,它通过会话初始协议SIP发起会话。IMS是基于IP的网络,由于IP网络的漏洞和缺陷,基于IMS的下一代网络存在潜在的安全问题。拓扑隐藏机制可以通过加密SIP消息中的一些内部地址和其他网络信息达到隐藏的目的。本文将就IMS安全中的拓扑隐藏机制及其AES-CBC模式的加密算法进行研究。     

基于SIP的IMS安全分析研究

文中首先分析了SIP协议的五个常见漏洞:注册劫持、服务器伪装、消息篡改、会话终止、拒绝服务,然后对IMS安全机制中的接入安全、网络域安全以及安全联盟的建立流程做了分析,并以此为基础分析研究了在IMS中应用SIP协议的漏洞实施攻击的可行性.从分析结果可以看出,IMS的安全机制能够拒绝除了DOS攻击之外的所有基于SIP漏洞的攻击.最后给出了在IMS中实施DOS攻击的流程,并利用Open SERB服务器在100M的局域网中对DOS攻击进行了仿真验证.     

SIP在IP多媒体子系统中的应用

SIP(Session Initiation Protocol，会话初始协议)是一种基于IP网络提供多媒体会话控制的信令协议。本文将在简要介绍SIP及其扩展的基础上，对SIP在IMS(IP Multimedia Subsystem，IP多媒体子系统)中的应用和典型特征进行介绍。     

IMS中一种新的基于SigComp的SIP压缩机制

IMS(IP Multimedia Subsystem)中采用SIP(Session Initiation Protocol)协议建立和维护多媒体会话。然而,SIP是基于文本消息的协议,在会话建立的过程中需要传输大量的比特,加大会话建立的时延。该文基于SigComp(Signaling Compression)框架结构,将改进后的LZW算法和HUFFMAN算法相结合,提出LZW-HUFFMAN算法。实验结果表明,新算法具有更高的压缩效率,有效地降低了传输时延,缩短了会话建立的时间。     

SIP协议及其在IMS中的应用探讨

IMS是3GPP在Release 5版本中提出的支持IP多媒体业务的子系统,SIP是一种应用层控制协议,用于生成、修改和终止一人或者多人的多媒体会话,SIP是IMS的基本控制协议。本文首先简要介绍IMS和SIP协议,然后介绍SIP协议在IMS中的基本应用和扩展应用。     

IMS路由相关问题及安全分析

IMS采用会话启动协议（SIP）作为主要信令协议,运行于IP网络之上,是下一代融合网络核心的可选方案之一。IMS中和路由相关的描述主要包括：SIP消息中与路由有关的消息头描述、用户注册路由描述、用户会话发起路由描述,用以解决注册路由和会话路由等。在IMS的部署结构和路由的过程中,接口受到的安全威胁最大,需要设备商和运营商之间根据实际情况达成共识,来提高网络的健壮性和安全性.由于普遍采用简单易实现的递归查询方式,从而导致一级服务器查询量大,需要减少查询开销。     

IMS对SIP协议的要求及应用

IP多媒体核心子系统(IMS)近年来日益成为比较受认同的固定网络和移动网络融合的理想方案,而会话发起协议(SIP)是IMS的基本控制协议,它自身的特点使得它在固网和移动网络向下一代网络(NGN)迈进的过程中发挥日益突出的重要作用。文章就SIP在IMS中的基本应用、扩展应用做了具体的分析,并通过IMS中SIP信令典型流程阐述了SIP在IMS中的应用。     

SIP协议在3G多媒体子系统中的应用

SIP协议是由IETF提出的IP电话信令协议，它用于建立、修改和终结多个用户终端之间的多媒体会话。第三代无线系统(3G)的R5结构中，IP多媒体子系统域(IMS)选择SIP作为终端和IMS以及IMS内部各元素之间的信令协议。本文针对SIP协议在IMS中的应用展开介绍，重点介绍了IMS中由SIP协议实现的业务注册和会话建立流程。     

Selective parsing to enhance SIP performance

The session initiation protocol (SIP) is used as the signaling protocol in the IP multimedia subsystem (IMS) and the signaling is becoming computing intensive comparing to the current telecommunication network. The SIP is a text-based protocol with characteristics of unordered and verbose headers, variable-size message, and case-insensitive keyword. It imposes challenges for an efficient message processing. The property of SIP elements being able to process SIP messages quickly is critical for the performance of IMS networks. This article investigates the performance of SIP message processed in SIP servers, mainly focusing on improving message parsing by introducing a method named selective parsing for SIP message (SP4SIP). By modeling and analyzing a SIP server with a tandem Jackson network, it is concluded that parsing messages is the bottleneck of a SIP server performance, i.e., it is the most processing intensive activity in the system. To validate the approach, it has been implemented in a high-performance SIP server in the authors' lab. The results show that selective parsing for SIP message can indeed reduce processing time.     

Design,implementation and performance evaluation of a proactive overload control mechanism for networks of SIP servers

The extent and diversity of systems, provided by IP networks, have made various technologies approach integrating different types of access networks and convert to the next generation network (NGN). The session initiation protocol (SIP) with respect to facilities such as being in text form, end-to-end connection, independence from the type of transmitted data, and support various forms of transmission, is an appropriate choice for signalling protocol in order to make connection between two IP network users. These advantages have made SIP be considered as a signalling protocol in IP multimedia subsystem (IMS), a proposed signalling platform for NGNs. Despite having all these advantages, SIP protocol lacks appropriate mechanism for addressing overload causing serious problems for SIP servers. SIP overload occurs when a SIP server does not have enough resources to process messages. The fact is that the performance of SIP servers is largely degraded during overload periods because of the retransmission mechanism of SIP. In this paper, we propose an advanced mechanism, which is an improved method of the windows based overload control in RFC 6357. In the windows based overload control method, the window is used to limit the amount of message generated by SIP proxy server. A distributed adaptive window-based overload control algorithm, which does not use explicit feedback from the downstream server, is proposed. The number of confirmation messages is used as a measure of the downstream server load. Thus, the proposed algorithm does not impose any additional complexity or processing on the downstream server, which is overloaded, making it a robust approach. Our proposed algorithm is developed and implemented based on an open source proxy. The results of evaluation show that proposed method could maintain the throughput close to the theoretical throughput, practically and fairly. As we know, this is the only SIP overload control mechanism, which is implemented on a real platform without using explicit feedback.     

基于SCTP的SIP的研究

在基于IP的3G移动网络中,SIP将是主要的信令协议。IMS第五版本要求支持SIP的服务器具有拥塞控制能力。SCTP是为IP网传输电话信令而设计的,但它的许多特征也适用于传输SIP消息(如拥塞控制机制)。文章研究了如何用SCTP传输SIP信令消息。     

无线网络中SIP信令组合压缩方案研究

IMS（IP多媒体子系统）采用SIP协议建立和维护多媒体会话,但SIP是基于文本的协议,消息比较大,当应用于带宽小的无线网络时,会增加会话建立的时延。为缩短会话建立时间,有必要对SIP消息进行压缩。针对单一的使用压缩算法在SIP信令压缩性能方面的不足,本文在Deflate压缩算法的基础上,采用不同的压缩策略,对SIP消息实现了压缩。仿真结果表明,静态字典、用户自定义字典和共享压缩的组合方案得到了最好的压缩效果,压缩后的消息平均大小仅为原来消息大小的14％左右。     

抵御SYN洪水攻击早期阶段的检测方法

Existing detection methods against SYN flooding attacks are effective only at the later stages when attacking signatures are obvious. In this paper an early stage detecting method （ESDM） is proposed. The ESDM is a simple but effective method to detect SYN flooding attacks at the early stage. In the ESDM the SYN traffic is forecasted by autoregressive integrated moving average model, and non-parametric cumulative sum algorithm is used to find the SYN flooding attacks according to the forecasted traffic. Trace-driven simulations show that ESDM is accurate and efficient to detect the SYN flooding attacks.     

一种新的面向IMS网络的SIP协议栈

IMS是3G系统中核心网的重要部分,由SIP提供的会话发起能力建立起端到端的会话,并获得所需要的服务质量。本文基于有限状态机提出了一种新的面向IMS网络的SIP信令协议栈。通过在软终端上的功能、性能和可靠性测试,本文提出的SIP协议栈能够有效地完成多媒体通信功能。     

Security upgrade against RREQ flooding attack by using balance index on vehicular ad hoc network

VANET is an ad hoc network that formed between vehicles. Security in VANET plays vital role. AODV routing protocol is a reactive or on-demand routing protocol which means if there is data to be send then the path will create. AODV is the most commonly used topology based routing protocol for VANET. Using of broadcast packets in the AODV route discovery phase caused it is extremely vulnerable against DOS and DDOS flooding attacks. Flooding attack is type of a denial of service attack that causes loss of network bandwidth and imposes high overhead to the network. The method proposed in this paper called Balanced AODV (B-AODV) because it expects all network node behave normally. If network nodes are out of the normal behavior (too much route request) then they identified as malicious node. B-AODV is designed with following feature: (1) The use of adaptive threshold according to network conditions and nodes behavior (balance index) (2) Not using additional routing packets to detect malicious nodes (3) Perform detection and prevention operations independently on each node (4) Perform detection and prevention operations in real time (5) No need for promiscuous mode. This method for detection and prevention flooding attack uses average and standard deviation. In this method each node is employing balance index for acceptation or rejection RREQ packets. The results of the simulation in NS2 indicates B-AODV is resilience against flooding attack and prevent loss of network bandwidth. Comparing between AODV with B-AODV in normal state (non-attacker) shows B-AODV is exactly match with AODV in network performance, this means that the B-AODV algorithm does not impose any overhead and false positive to AODV.     

基于SIP的IMS安全分析研究

文中详细分析了SIP协议的常见漏洞和IMS的安全机制,并以此为基础分析研究了在IMS中应用SIP协议的漏洞实施攻击的可行性.从分析结果可以看出,IMS的安全机制能够拒绝除了DOS攻击之外的所有的基于SIP漏洞的攻击.最后对DOS攻击进行了仿真验证.     

Detection method of LDoS attack based on ACK serial number step-length

Low-rate denial of service (LDoS) attack is a potential security threat to big data centers and cloud computing platforms because of its strong concealment.Based on the analysis of network traffic during the LDoS attack,statistical analysis was given of ACK packets returned by the data receiver to the sender,and result reveals the sequence number step had the characteristics of volatility during the LDoS attack.The permutation entropy method was adopted to extract the characteristics of volatility.Hence,an LDoS attack detection method based on ACK serial number step permutation entropy was proposed.The serial number was sampled and the step length was calculated through collecting the ACK packets that received at the end of sender.Then,the permutation entropy algorithm with strong time-sensitive was used to detect the mutation step time,and achieve the goal of detecting LDoS attack.A test-bed was designed and built in the actual network environment for the purpose of verifying the proposed approach performance.Experimental results show that the proposed approach has better detection performance and has achieved better detection effect.