DDoS Prevention Using Greylisting

Distributed Denial of Service Attacks (DDoS) are a particularly dangerous kind of attack — spreading the load among multiple attacks boosts the penetration force while making the attack harder to tie to a source and detect. VoIP-specific DDoS attack have been systematically recorded back in 2011. The Slash Zero SIP scan used the Sality botnet with 3 million bots! The attack was covert — the IP addresses were iterated by most significant address bits and most bots sent only one or few packets.

See a Caida report for additional details.

To make a VoIP service resilient against DDoS attacks, the ABC-SBC is using a technique named greylisting. Greylisting simply blocks IP addresses from which packets come to a SIP service and do not act in a legitimate way within a period of time. While the packets that trigger greylisting may be more or less “innocent” packets, they may be also a scanning prelude to a serious attack. The greylisting policy doesn’t wait too long: if the initial packet is not establishing a legitimate conversation with a SIP server within a timeout, the IP address from which it came will be blocked.

In this use-case, SIP scans coming from various IP addresses and send to an SBC will be started during the cloud formation process. You will be able to visit the Monitor security dashboard and see the IP addresses that have been detected and blocked by the SBC

How to use it

To start the cloud formation process visit this link:

Once the cloud formation process completes, wait few more minutes to see how a simulated attack develops. In the Cloud Formation Outputs, there is a link to the Monitor and SBC. If you open the Monitor link to Security Dashboard, you will find a series of greylisting events. These were produced during an emulated attack. In this attack an OPTIONS request is being sent every ten seconds, and because it only triggers 403s, the request’s source IP address will be blocked. The OPTIONS requests are crafted using scapy tool and each has a distinct random spoof source address.

Greylisting originators of unwelcome SIP messages is important as it prevents a SIP scan to evolve into a full scale attack. Monitoring the number of greylisted addresses also helps to detect abnormal situation. Our piloting site on the public Internet shows in average sixty thousand IP addresses blocked using greylisting!


What is orchestrated

There are four machines running: a Session Border Controller (m3.medium), a machine simulating a DDoS attack (t2.micro), a Monitor to display the network situation (t2.medium), and a machine representing the protected infrastructure (t2.micro). The protected machine is a kamailio server that sends a 403 Forbidden answer to all requests. The attacking machine is implemented using a packet manipulation tool SCAPY and keeps sending OPTIONS packets from random IP addresses.


What else you should know

Care needs to be applied when using greylisting: a too strict policy may disable all traffic from an IP address which may be particularly harming when there are multiple users behind the IP address. The key piece is definition of what constitutes legitimate traffic in the ABC rules. See the ABC-SBC documentation for detailed hints how to set up such a policy or contact Frafos professional services.