View - SIP Forum

Location of Test: CT Labs facility, Rocklin, CA
Date of Test: January, 2006
NexTone
Session Border Controller
Attack Performance Test
Statement of Test Purpose
CT Labs was commissioned by NexTone to verify SIP
call-handling performance of the NexTone MSC session
border controller (SBC) product while subjected to
various real-world attacks. The test involved generating
high levels of valid real-world SIP-based VoIP traffic
while launching attacks against the SBC, including denial
of service (DoS) and other malicious attacks designed to
disrupt SIP-based services.
Product Tested
The NexTone Multiprotocol Session Controller
(MSC), a robust session border controller, intelligently
facilitates the interconnection of IP based networks for
the exchange of real time traffic such as VoIP. The
NexTone MSC enables network operators to securely
peer with other IP based carriers by using advanced
session management capabilities such as intelligent
session routing, dynamic session admission control,
SIP/H.323 signaling interworking, media transcoding,
VoIP firewalling and denial of service (DoS) protection.
The NexTone MSC offers flexibility and scalability while
ensuring consistent service quality, protection and
security even when under attack. The stateful
intelligence of the NexTone MSC enables carriers to
successfully interconnect to any VoIP network while
building towards a next generation SIP based
architecture such as IMS.
NexTone MSC Version Tested: v4.0c2-2
© 2006 CT Labs Testing Services
Highlights
•
The NexTone MSC
successfully sustained high
SIP call rates while subjected
to demanding CT Labs SIP
DoS attacks
•
NexTone SBC passes SIP
Torture and SIP Malformed
Packet flood tests with no ill
effects
Executive Summary
CT Labs staged a peering VoIP topology
featuring a NexTone MSC session border
controller positioned at the boundary
between the two networks. A very high level
of standards-based real-world SIP call
traffic was generated between networks
while various DoS and SIP-oriented attacks
were launched. Performance of the
legitimate VoIP call traffic was monitored
during VoIP baseline and VoIP-plus-attack
test runs. A properly-functioning SBC will
ward off attacks while allowing valid VoIP
calls to traverse inter-network boundaries.
CT Labs found the NexTone MSC product
to provide a solid protection layer under
extremely adverse attack conditions and
significant SIP call loads up to 150 calls/
sec. While maintaining its protection and
processing valid SIP calls, the NexTone
MSC was found to successfully reject a
variety of SIP-specific attacks at up to ½ GE
wire rate and packet rates up to 150,000
packets/sec, a significant result.
NexTone MSC SBC Attack Performance Test
CT Labs Test Report
Test Methodology and Conditions
CT Labs staged an inter-carrier peering network topology
as shown in Figure 1. The NexTone MSC SBC was
configured to pass real-world SIP calls while protecting
the “B” network side from SIP attacks1 sourced from the
“A” side. Flow control on Ethernet was enabled, as it
would be in a production network, limiting the attack rates
to approx. 500 Mbits/sec. Note: signaling and media
paths were configured using separate NexTone MSC
network ports (detail not shown in the diagram).
A pair of Empirix Hammer NXT-IP high density VoIP call
generators provided the bulk of the legitimate SIP call
load, while the Hammer FX-IPs accumulated RTP jitter
statistics for their SIP calls. NexTone contributed an in-
house SIP call generator tool (“Spitfire”) to bring the call
rates up to the targets for this test.
The Hammer FX-IP calls were placed via the NexTone
MSC-protected SIP Express Router2 proxy while attacks
were launched, providing a failure indication if the proxy
was left unprotected to attacks and thus unable to
properly process calls.
Table 1 below presents a subset of the comprehensive
series of attacks that CT Labs launched against the
NexTone MSC. A final long-duration test run was
performed to verify call-handling reliability, the results of
which are presented later in this report.
Table 1: Selected Attack Tests
Test Description
SIP Malformed Packet Flood
This test floods the 4500 PROTOS test cases from 1000 random, outside, source IP
address/ports to the NexTone MSC at up to line rates.
SIP Torture Test Flood
This test floods SIP Torture Test messages from 100 random source address/ports to the
NexTone MSC at up to line rates.
SIP REGISTER Flood
This test floods the NexTone MSC with REGISTERs from sources other than legitimate ones
(i.e. other than the Empirix Hammer and NexTone generators).
SIP INVITE Flood
This test floods the NexTone MSC with INVITEs from sources other than legitimate ones (i.e.
other than the Empirix Hammer and NexTone call generators).
SIP INVITE, Response Spoof Floods
These tests flood the NexTone MSC with INVITES or SIP Responses (100 Trying, 180
Ringing, etc) while spoofing the IP addresses of legitimate SIP devices.
Test
Duration
Total SIP
3
Endpoints
15 min
0
15 min
0
30 min
41,880
30 min
55,680
30 min
36,480 INV. /
41,880 Resp.
Figure 1:
Test Setup Diagram
------------------------------------------------------1.
This test utilized the CT Labs SIP Attack Tool platform, a scriptable framework for verifying protection and prevention from attacks against SIP devices.
2.
SIP Express Router (SER), an open-source SIP server available from www.iptel.org
3.
Total call generator SIP endpoints used. The simultaneous calls for each test run were conditioned based on the call durations and interval between calls.
© 2006 CT Labs Testing Services
Page 2
NexTone MSC SBC Attack Performance Test
CT Labs Test Report
Test Results Summary
For these tests the Empirix Hammer call
generators contributed up to 48,480 SIP
endpoints of traffic at 110 cps, with the NexTone
generators adding 7200 endpoints at up to 40
cps when required. Call durations were adjusted
from 90 sec. to 238 sec. depending on the call
generator platform and call rates desired.
Baseline no-attack test runs were first performed
to verify NexTone MSC SIP call connectivity and
correct operation of the test platform. During
these runs, the NexTone MSC exhibited
excellent SIP call setup latency4 performance of
19 mSec average; as well, the calls experienced
an average 0.3 mSec of RTP jitter induced by
the SBC.
Table 2 below presents the performance results
for the NexTone MSC as it handled legitimate
VoIP calls while being subjected to a variety of
challenging attacks against SIP-based services.
As the data illustrates, the NexTone MSC
continued to provide protection from attacks
while handling standards-based SIP calls at call
rates up to 150 calls per second. As expected,
given the unique nature of each attack type and
the SBC processing power required to reject
each attack, the level of legitimate SIP traffic
that could be processed was found to vary.
Ultimately, the NexTone MSC continued to
provide effective protection without significantly
impacting throughput performance of valid SIP
calls.
Table 2: Test Results, SIP Calls + Attacks
Test Run
Description
Total SIP
Endpoints
Simul.
SIP
Calls,
avg.
SIP Call
Rate, cps
Attack
Packet
Rate, pps
SIP Call
Setup
Latency,
mSec
Notes
4
Test run at high SIP call rate,
without attacks.
SIP Call Baseline
55,680
27,330
150
0
19
SIP INVITE
Flood
55,680
27,330
150
110,997
258
SER was unaffected, and the
NexTone MSC continued to
process legitimate VoIP traffic.
SIP REGISTER
Flood
41,880
20,430
140
117,048
111
SER was unaffected, and the
NexTone MSC continued to
process legitimate VoIP traffic.
150
Endpoints being spoofed resulted
in packets being correctly
blocked by the NexTone MSC.
SER was unaffected, and the
NexTone MSC continued to
process legitimate VoIP traffic.
194
Endpoints being spoofed resulted
in packets being correctly
blocked by the NexTone MSC.
SER was unaffected, and the
NexTone MSC continued to
process legitimate VoIP traffic..
SIP INVITE
Spoof Flood
SIP Response
Spoof Flood
36,480
41,880
17,730
20,430
110
140
RTP jitter performance was notable for the
above test runs, with .3 mSec average
measured for the SIP INVITE Flood test run.
The SIP REGISTER Flood test resulted in an
average of 1.2 mSec of RTP jitter. In all cases5,
133,305
144,775
the level of RTP jitter induced by the NexTone
MSC was found to be insignificant and would not
have any impact on user-perceived voice
quality.
------------------------------------------------------4. SIP call setup latency is a performance metric that measures the interval between the SIP INVITE message and the final ACK message from
the originating endpoint, confirming establishment of the call session.
5. RTP jitter data not available for the spoof flood tests since RTP data is collected from the same gateways being spoofed.
© 2006 CT Labs Testing Services
Page 3
NexTone MSC SBC Attack Performance Test
CT Labs Test Report
Test Results, Continued
Included in the metrics collected during each test run
were SIP call setup latency and RTP jitter induced by
the NexTone MSC session border controller while
under attack. As shown in the graph below, the
measured impact during the challenging SIP INVITE
Flood attack was 258 mSec of SIP call setup latency,
a minimal effect on user-perceived performance (call
setup delays of less than 400 mSec will not degrade a
user’s call experience). Note that this test case was
run while simultaneously processing 55,680 endpoints
of valid SIP calls. To further underscore the NexTone
MSC’s performance, during the SIP INVITE Flood test
the average call’s RTP jitter was observed to be 0.3
mSec, an excellent result.
mSe c
SIP Call Setup Latency, Average
500
450
400
350
300
250
200
150
100
50
0
258
194
150
111
19
SIP call
SIP calls +
baseline
REGISTER
(no attacks)
Flood
SIP calls + SIP calls + SIP calls +
INVITE
RESPONSE INVITE Flood
Spoof Flood Spoof Flood
In addition to the attack tests conducted while valid
SIP calls transited the NexTone MSC, the SIP
Malformed and Torture Test Flood tests were run to
verify the survivability of the NexTone MSC’s SIP
parser mechanisms when subjected to malformed
and unusually formatted SIP messages. The primary
goal of these test cases was to ensure that the MSC
did not crash while being subjected to high packet
rates of these malformed messages. As the results in
Table 3 indicate, in both tests the NexTone MSC
continued to run and provide protection for the SER
proxy. Given the high packet rates for these tests, the
results show the NexTone MSC is a highly capable
performer when subjected to these types of flood
attacks.
Table 3: Test Results, Malformed Packets / Torture Test Attacks
Test Run
Description
Attack
Packet
Rates, pps
Notes
SIP Malformed
Packet Flood
88,600
SER was unaffected, and the NexTone MSC continued to run without
deleterious effects.
SIP Torture
Test Flood
149,980
SER was unaffected, and the NexTone MSC continued to run without
deleterious effects.
62-Hour Reliability Test
Many product problems associated with the attack
conditions created in this test are expected to
precipitate rapid failures or crashes in less robust
products. However, a final long-term test run was
conducted to further verify that the NexTone MSC
was free from memory leaks and other internal
resource management faults that can take longer
to occur.
© 2006 CT Labs Testing Services
This 62 hour test was conducted with 41,880 SIP
endpoints at 140 cps while under a continuous
INVITE Flood attack at an average rate of 110 kpps.
In other words, a very demanding environment.
The result: the NexTone MSC successfully
processed over 18.7 million legitimate SIP calls with a
call success rate of 99.998%; this, while continuing to
provide protection to the SER proxy server on the
staged network.
Page 4
NexTone MSC SBC Attack Performance Test
CT Labs Test Report
Company Information
About CT Labs
About NexTone
NexTone develops carrier-grade products for delivering
scalable control of real-time IP services, such as voice over
IP (VoIP). NexTone's solutions enable carriers, service
providers, and enterprises to securely, simply, and costeffectively interconnect networks for end-to-end control and
management of IP traffic. As of December 2005, NexTone's
real-time IP technology is installed by more than 370
service providers and enterprises worldwide to dramatically
reduce capital expenditures and deliver ongoing operational efficiencies such as reduced interconnect "turn-up" time
and simplified network operations. The company is headquartered in Gaithersburg, Maryland, USA, with domestic
and international offices worldwide. For more information,
www.nextone.com.
CT Labs was founded in 1998 with
the mission of providing outsource
Q/A testing and marketing report
services to the converged communications industry. The CT Labs team
brings with it a wide range of talents
and experience that gives us a
unique ability to solve the most
challenging test projects. Our open
testing services philosophy enables
us to provide our customers with test
plans, test execution, testing reports,
and even assistance in setting up
specific testing environments in their
own testing areas.
Our test lab is well-equipped with
tools and test platforms from our
technology partners. In addition, CT
Labs has the in-house expertise to
develop specialized tools when offthe-shelf solutions are not available.
CT Labs prides itself on keeping our
lab current, enabling us to perform
testing projects on cutting-edge nextgeneration network products and
technologies.
www.ct-labs.com
v: +1 916-577-2100
f: +1 916-577-2101
[email protected]
Multiprotocol Session Controller and NexTone MSC are trademarks or registered trademarks of NexTone in the United States and other countries. All other
trademarks contained herein are the property of their respective owners.
© 2006 CT Labs Testing Services
Page 5