The prevalence of the session initiation protocol (SIP) in communications networks has led to an increase in papers that study attacks against the protocol. The paper by Seo et al. uses a stateful rule tree to detect a malformed SIP attack and an SIP flooding attack. The complexity of the rule tree is O(m * logx n), where m is the number of sub-rules of a header, x is the average number of child nodes of the rule tree, and n is the number of SIP rules.
Because this is a stateful rule tree, it requires parsing of the SIP message to extract the header field of interest and search for it in the tree. The SIP grammar is a complex context-sensitive set of production rules, such that parsing is a computation-intensive operation. Thus, I was surprised to learn that the authors propose using a parse operation; this would immediately make it untenable to use against flooding attacks. Furthermore, because the tree is necessarily stateful, the technique is amenable only to SIP hosts that are not expected to receive too many messages per unit time. Indeed, this turns out to be the case since the authors are more interested in running this technique on smartphones or desktop (soft) phones. This technique will not scale to network-based SIP servers that receive tens of thousands of messages per second.
Some of the rules used by Seo et al. to detect flooding and malformed attacks are too severe. For instance, depending on a particular state, Seo et al. discard a message if it contains a certain header. This policy, if deployed in a production network, will discard a reasonable number of otherwise legitimate messages. Seo et al. also impose an assumption that certain fields of the SIP message are bounded in length; no such assumption exists in the SIP grammar, and as a result, such a stringent check will backfire in a production network.
In summary, the stateful rule tree approach taken by Seo et al. is a reasonable one, as long as the SIP host is not, for instance, acting as an ingress SIP server that services every message before it is allowed into the network.
