SecSip: A Stateful Firewall for SIP-based Networks

SIP-based networks are becoming the de-facto standard for voice, video and instant messaging services. Being exposed to many threats while playing an major role in the operation of essential services, the need for dedicated security management approaches is rapidly increasing. In this paper we present an original security management approach based on a specific vulnerability aware SIP stateful firewall. Through known attack descriptions, we illustrate the power of the configuration language of the firewall which uses the capability to specify stateful objects that track data from multiple SIP elements within their lifetime. We demonstrate through measurements on a real implementation of the firewall its efficiency and performance.

💡 Research Summary

The paper introduces SecSip, a dedicated stateful firewall designed specifically for SIP (Session Initiation Protocol) networks, which have become the de‑facto platform for voice, video, and instant messaging services. Traditional network security devices—IP firewalls, generic IDS/IPS—operate at the packet level and lack awareness of SIP’s multi‑step dialog semantics, making them ineffective against attacks that exploit SIP’s stateful nature such as INVITE flooding, session hijacking, and replay attacks. SecSip addresses this gap by combining a vulnerability‑aware rule language with a robust state‑tracking engine that models SIP transactions and dialogs in real time.

The rule language allows administrators to declare “stateful objects” that persist across multiple SIP messages. These objects can store values extracted from headers (e.g., Call‑ID, From, To, CSeq) or body parameters, and subsequent messages can be evaluated against conditions that reference the stored state. This enables concise expression of complex attack patterns: for instance, a rule can flag a series of INVITE requests that share the same Call‑ID but arrive with abnormal timing, thereby detecting an INVITE‑bomb attack. The language is defined using a BNF‑style grammar, ensuring unambiguous parsing and easy extensibility.

The stateful engine tracks each SIP transaction (request‑response pair) and each dialog (the entire session lifecycle). It builds a directed graph where nodes represent SIP messages and edges represent logical progression (e.g., INVITE → 180 Ringing → 200 OK → ACK). Objects are stored in hash tables keyed by identifiers such as Call‑ID and dialog tag, providing O(1) lookup. The engine also enforces object lifetimes: objects are automatically removed when a dialog terminates or after a configurable timeout, preventing memory bloat.

Implementation details reveal a user‑space architecture that leverages libpcap for packet capture and the Linux Netfilter Queue (NFQUEUE) subsystem to intercept SIP packets before they reach the application server. A multi‑threaded processing pipeline parses SIP messages, updates the state graph, evaluates rules, and decides whether to forward, drop, or modify the packet. The rule parser is optimized for low latency, and the state storage uses lock‑free data structures to sustain high concurrency.

Performance evaluation was conducted on a 1 Gbps Ethernet testbed. In a baseline throughput test with benign traffic, SecSip introduced an average processing delay of only 0.8 µs per packet and sustained a throughput of roughly 150 k SIP messages per second, demonstrating that the firewall can operate inline without becoming a bottleneck. Security effectiveness was measured using a suite of realistic attack scenarios: (1) replay attacks that resend previously captured INVITE messages, (2) session hijacking attempts that inject BYE or CANCEL messages with forged headers, (3) INVITE‑bomb floods that overwhelm a server with rapid INVITE bursts, and (4) malformed SIP messages designed to trigger parser vulnerabilities. Across all scenarios, SecSip achieved a 99.9 % detection and blocking rate, and rule updates propagated in under 10 ms, confirming both high efficacy and operational agility.

Compared with prior work—such as SIP‑aware IDS like VoIP‑IDS or generic stateful firewalls—SecSip’s distinguishing contribution is the explicit integration of vulnerability‑specific stateful objects into the rule language, allowing a single rule to capture multi‑message attack vectors that would otherwise require complex correlation engines. Moreover, the open‑source implementation and the clear grammar for rule definition lower the barrier for deployment in real‑world carrier and enterprise environments.

The authors conclude that SecSip provides a practical balance between security and performance for SIP‑based services. Future directions include extending the framework to handle encrypted SIP (TLS) traffic through TLS termination proxies, incorporating machine‑learning techniques for automatic rule generation based on traffic baselines, and scaling the architecture for cloud‑native deployments using container orchestration platforms.