DISSERTATION Denial-of-Service and Unsolicited Communication Protection in Global Voice-over-IP Infrastructures

The switch of future telecommunication infrastructures to packet switched communication using the Internet Protocol (IP) raises new issues and challenges regarding security. Telecom operators will likely face challenges similar to the ones encountered in the last years by operators of established IP services like World Wide Web (WWW) or Email. The first part of this thesis presents attack scenarios using theoretical discussions and practical examples. These examples demonstrate, how successful DoS attacks against VoIP-infrastructures can be done with little effort. The second part of this thesis proposes detection mechanisms for service disruptions using active and passive monitoring. State of the art standards by Internet Engineering Task Force (IETF) and 3rd Generation Partnership Project (3GPP) as well as own extensions for precise congestion rating are presented in this section. The last section of this thesis presents a novel perimeter protection node (Session Border Controller Advanced (SBC-A)) and validates the effectivity of this infrastructure using reference measurements from operative public IP networks. This infrastructure applies various techniques in fifteen consecutive stages to block malicious messages and to flag problematic ones. The latter are forwarded for further processing to the central VoIP infrastructure. In case of an unavoidable congestion, the markings can be used to drop requests with a high marking earlier than important messages. The effectiveness of this approach is validated using real traffic from A1 Telekom Austria and the VoIP-provider iptel.org.