A SIP firewall (110) defends an IMS network against against SIP registration -based DoS/DDoS attacks by issuing fake authentication challenges when suspiciously high registration traffic is present. The fake authentication challenges include a predictive nonce that is to be used in the challenge response, thus forcing users to be state-aware and to issue the SIP registration requests from valid IP address in order to successfully respond to the fake authentication challenges. Upon confirming an association between the challenge response and the fake authentication challenges, the firewall (110) opens a registration window to a protected node of the core network (116). In such manner, the firewall (110) opens a registration window to (unauthenticated) legitimate users while stopping DDoS mode of registrations (or at least making them extremely difficult and costly) without impacting or involving the protected node.
展开▼