Edge Security for SIP-enabled IoT Devices with P4

Abstract

The exponential growth of IoT devices poses security concerns, in part because they provide a fertile breeding ground for botnets. For example, the Mirai botnet infected almost 65,000 devices in its first 20 hours. With the prevalence of Session Initiation Protocol (SIP) phones and devices on the networks today, the attacker could easily target and recruit these IoT devices as bots. Conventional network security measures do not provide adequate attack prevention, detection, and mitigation for these widely distributed IoT devices. This paper presents microVNF, a Virtualized Network Function (VNF) that leverages the programmable data plane feature on the edge switch. Based on knowledge gained from the Mirai botnet incident and following the defense-in-depth principle, microVNF protects IoT devices against SIP DDoS attacks in two stages: before and after infection. Prior to infection, it protects against SIP scanning, enumeration, and dictionary attacks. After infection, microVNF blocks botnet registration attempts to the command-and-control (CNC) server, thereby preventing the botnet from receiving commands sent from the CNC server, and detects and mitigates botnet SIP DDoS attacks. We conducted six experiments that involved using popular attack tools against microVNF, and it successfully performed deep-packet inspection of unencrypted SIP packets so as to track anomalies from a typical SIP state-machine. In this use case, besides providing physical connectivity to the IoT devices, the edge switch containing microVNF also provides the first line of defense in stopping malicious packets from propagating upstream to the core network. In addition to securing SIP, the microVNF approach can be adapted to other text-based, application-layer protocols such as HTTP and SMTP. MicroVNF leverages the native capability of programmable data planes without depending on external devices, thereby making this approach practical for securing edge-computing environments against application-layer attacks.