|Authors||A. Aziz, D. Hoffstadt, T. Dreibholz and E. P. Rathgeb|
|Title||A Distributed Infrastructure to Analyse SIP Attacks in the Internet|
|Afilliation||Communication Systems, Networks, Communication Systems|
|Project(s)||The Center for Resilient Networks and Applications|
|Publication Type||Proceedings, refereed|
|Year of Publication||2014|
|Conference Name||Proceedings of the IFIP Networking Conference (Networking 2014)|
VoIP systems, based on the Session Initiation Protocol\~(SIP), are becoming more and more widespread in the Internet. However, this creates security issues and opens up new opportunities for misuse and fraud. The most widespread threat are multi-stage attacks to commit Toll Fraud. To devise effective countermeasures, it is crucial to know how attacks on these systems are performed in reality. In this paper, we introduce a novel distributed monitoring system with Sensor nodes located in Norway, Germany and China that allow to detect SIP-based attacks from the Internet. Based on experiences from experiments spanning several years, we propose a new setup which allows simple and straightforward addition of new remote observation points. We have deployed this setup in the NorNet testbed and highlight its advantages compared to a previous setup with physically distributed Sensors. We also present results from a 45 day field test with 13 observation points. These results confirm the advantages of a widely distributed monitoring setup and give some new insights into the behavior of the attackers.