Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

SIPFLOOD - SIP Floods

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This detection method detects devices that are trying to overwhelm the SIP stations in the monitored network segment using the flood attack. The Threshold parameter allows you to set the minimum ratio between the relevant received and sent packets by the victim. The PerCalledParty parameter allows you to set the minimum count of relevant packets sent to a single SIP address. The MessageLimit parameter allows you to set the minimal count of attempts to the victim of the attack.

This method consists of the following submethods:

  • Invite: Reports the Denial of Service attacks on the devices used for VoIP. The detection uses the Invite messages of the SIP protocol.

  • Register: Reports the Denial of Service attacks on the devices used for VoIP. The detection uses the Register messages of the SIP protocol.

Method configuration

It is recommended to activate this method for all IP addresses of SIP devices in the monitored network segment. The right place for monitoring the traffic is the Internet connection line. You must activate this detection method combined with the Data feed with activated SIP processing.

Method parameters

  • Threshold: Threshold for a minimum ratio of the count of packets with the Invite (or Register) flag set to the count of relevant responses.

  • PerCalledParty: Threshold for a minimal count of packets with Invite (or Register) flag set per called party.

  • MessageLimit: Threshold for a minimal total count of attempts.

Assigned filter

Only flows whose source or destination IP address matches the assigned filter will be processed. The filter defines possible attack victims.

Interpretation of results

The typical purpose of this attack is to prevent VoIP services from being available for legitimate users. The victim of the attack is shown as the event source. Event targets (attackers or the devices trying to access the SIP connection during the attack) have generated a large amount of Register or Invite requests and the victim cannot handle the number of requests. The flooded victim also cannot handle the real phone calls.

TitleResults for “How to create a CRG?”Also Available inAlert