Felipe Huici

Enabling high-speed and extensible real-time communications monitoring

The use of the Internet as a medium for real-time communications has grown significantly over the past few years. However, the best-effort model of this network is not particularly well-suited to the demands of users who are familiar with the reliability, quality and security of the Public Switched Telephone Network. If the growth is to continue, monitoring and real time analysis of communication data will be needed in order to ensure good call quality, and should degradation occur, to take corrective action. Writing this type of monitoring application is difficult and time consuming: VoIP traffic not only tends to use dynamic ports, but its real-time nature, along with the fact that its packets tend to be small, impose non-trivial performance requirements. In this paper we present RTC-Mon, the Real-Time Communications Monitoring framework, which provides an extensible platform for the quick development of high-speed, real-time monitoring applications. While the focus is on VoIP traffic, the framework is general and is capable of monitoring any type of real-time communications traffic. We present testbed performance results for the various components of RTC-Mon, showing that it can monitor a large number of concurrent flows without losing packets. In addition, we implemented a proof-of-concept application that can not only track statistics about a large number of calls and their users, but that consists of only 800 lines of code, showing that the framework is efficient and that it also significantly reduces development time.

Protecting SIP against Very Large Flooding DoS Attacks

The use of the Internet for VoIP communications has seen an important increase over the last few years, with the Session Initiation Protocol (SIP) as the most popular protocol used for signaling. Unfortunately, SIP devices are quite vulnerable to Denial-of-Service (DoS) attacks, many of them becoming unresponsive and even resetting with floods of only hundreds of packets per second. n nIn this paper we introduce SIP Defender, a new distributed filtering architecture designed to protect SIP devices against large, flooding DoS attacks. In addition, we describe the implementation of the architectures SIP Controllers, the network devices in charge of performing the actual filtering. We further present testbed performance figures for these, showing that a controller built on commodity hardware can forward an impressive 2.5 million packets per second for small SIP packets while applying one million filters as well as anti-spoofing mechanisms.

Building a decentralized, cooperative, and privacy-preserving monitoring system for trustworthiness: the approach of the EU FP7 DEMONS project [Very Large Projects]

The aim of DEMONS is to significantly improve the trustworthiness of todays Internet by empowering the operators ability to detect and react to global-scale incidents and malicious activity. To this end, DEMONS follows an integrated approach to network monitoring whose key elements are the distribution of programmable monitoring tasks across cooperative monitoring nodes, and the deployment of inter-domain collaborative mechanisms that preserve the privacy of customers and operators data.

DECON: Decentralized Coordination for Large-Scale Flow Monitoring

Monitoring at the flow level is crucial to ensure the correct operation of networks. Any sizable network relies on a number of monitoring probes, both to provide different observation points but also to scale to the ever-increasing number of flows that go through it. This situation gives rise to the difficult problem of assigning monitoring of flows to the available probes so that the network-wide coverage of flows (i.e., the number of flows actually monitored) is maximized. In this paper we introduce DECON, a decentralized and scalable coordination system aimed at solving this assignment problem. Unlike other approaches, DECON requires no network topology information, no traffic matrices and no packet marking. We present extensive simulation results showing that DECON scales up to large numbers of flows while requiring reasonable amounts of state from probes. Further, performance results from a prototypical monitoring probe built with commodity hardware show that even an inexpensive solution can accommodate DECONs requirements.

Toward composable network traffic measurement

As the growth of Internet traffic volume and diversity continues, passive monitoring and data analysis, crucial to the correct operation of networks and the systems that rely on them, has become an increasingly difficult task. We present the design and implementation of Blockmon, a flexible, high performance system for network monitoring and analysis. We present experimental results demonstrating Blockmons performance, running simple analyses at 10Gb/s line rate on commodity hardware; and compare its performance with that of existing programmable measurement systems, showing significant improvement (as much as twice as fast) especially for small packet sizes. We further demonstrate Blockmons applicability to measurement and data analysis by implementing and evaluating three sample applications: a flow meter, a TCP SYN flood detector, and a VoIP anomaly-detection system.

Crosstalk: A Scalable Cross-Protocol Monitoring System for Anomaly Detection

Monitoring is crucial both to the correct operation of a network and to the services that run on it. Operators perform monitoring for various purposes, including traffic engineering, quality of service, security and detection of faults and mis-configurations. However, the relentless growth of IP traffic volume renders real-time monitoring and analysis of data a very challenging problem. In this paper we introduce Crosstalk, a scalable and efficient distributed monitoring architecture that uses cross-protocol correlation to detect network anomalies. While applicable to a wide range of applications such as botnet detection, spam mitigation and mis-configurations, we pick a point in this application space, concentrating on VoIP attacks. We present extensive simulation results based both on generated calls and on millions of Call Data Records (CDRs) from a large VoIP operator to show our approachs performance and effectiveness.

Testing Dialog-Verification of SIP Phones with Single-Message Denial-of-Service Attacks

The Session Initiation Protocol (SIP) is widely used for signaling in multimedia communications. However, many SIP implementations are still in their infancy and vulnerable to malicious messages. We investigate flaws in the SIP implementations of eight phones, showing that the deficient verification of SIP dialogs further aggravates the problem by making it easier for attacks to succeed. Our results show that the majority of the phones we tested are susceptible to these attacks.

Single-message denial-of-service attacks against voice-over-internet protocol terminals

The session initiation protocol (SIP) is widely used for signalling in multimedia communications. However, many SIP implementations are still in their infancy and vulnerable to malicious messages. We investigate flaws in the SIP implementations of eight phones, showing that the deficient verification of SIP dialogs further aggravates the problem by making it easier for attacks to succeed. Our results show that the majority of the phones we tested are susceptible to these attacks.