The SBC Core provides Denial of Service (DOS) protection when under attack to both existing calls and subscribers, as well as new valid calls and subscribers. The (non-exhaustive) list of attack types which are mitigated include:

  • UDP packet flood
  • SIP signaling flood
  • Corrupted SIP signaling flood
  • ARP flood
  • ICMP flood
  • TCP SYN flood
  • Corrupted Ethernet packet flood
  • Corrupted IP packet flood
  • Fragmented Media (non-signaling) packet flood

For the SBC 7000, these attacks can be up to the entire 10G line rate possible on the network interfaces. As long as the upstream networking infrastructure elements deliver all valid packets (i.e. that service is not impaired by upstream networking elements), the SBC 7000 will accomplish the following for all attack types:

  • Ensure that MOS score of existing calls does not degrade by more than 10%
  • Properly control signaling on all existing calls and registrations
  • Continue providing service to at least 80% of the engineered call rate

Note that for non-secured streams, the protection guarantees applies to calls and signaling peers whose source IP addressing is not being spoofed by the attacker. If the attacker is spoofing addresses, then non-secured media or signaling from the address will be affected (since the SBC cannot distinguish good traffic from bad traffic in this case), but all other calls and signaling are protected.

For secured media streams (sRTP) and secured signaling (TLS or IPsec), the attacker cannot affect these streams since the SBC  will ensure that only properly authenticated packets are accepted.

  • No labels