In this section:

 

Use this feature to reset designated offender lists as described below.

This command is executable from both the System-level and Configure modes.

Command Syntax

% request system ipPolicing resetOffendersList name
<aclOffendersList | aggregateOffendersList | arpOffendersList | badEtherIpHdrOffendersList | discardRuleOffendersList | mediaOffendersList | rogueMediaOffendersList |  srtpDecryptOffendersList  | uFlowOffendersList>

Command Parameters

IP Policing Parameters

IP Policing Parameters

Parameter

Description

ipPolicing

The IP Monitoring MIB module name.

resetOffendersList

Use this object to reset the data in the selected offenders list.

  • name – The offenders list name:
    • aclOffendersList – The table of statistics for Access Control List policer offenders list.
    • aggregateOffendersList – The table of statistics for the aggregate policer offenders list.
    • arpOffendersList – The table of statistics for the ARP policer offenders list.
    • badEtherIpHdrOffendersList– The table of statistics for the bad Ethernet/IP Header policer offenders list. For example:
      • Only broadcast ARP packets are allowed; all other broadcast packets are considered bad.

      • Only ICMPV6 neighbor discovery packets are allowed under multicast MAC address. Anything else is considered bad.

      • If DestMAC is zero, it is considered a bad packet.

      • Anything other than ethertype (IPV4, IPV6, VLAN) is considered bad.

      • IP Checksum error.

      • IP version other than 4 or 6 is considered bad.

      • Bad IP Header length

      • Packet that is not long enough to contain IP header.

      • TTL == 0 is considered bad.

      • IPV4 with options set is considered bad.

      • IPV6 with initial next header field of 0, 60, or 43 is considered bad.

    • discardRuleOffendersList – The table of statistics for the discard rule offenders list. For example: ACLi discard rule packets.

    • srtpDecryptOffendersList - Contains SRTP packets which failed authentication or were flagged as replay packets. This could indicate malicious media packet attacks or it can be used to troubleshoot "no audio" calls using SRTP. See srtpDecrptOffendersList / srtpDecryptOffendersIntStats Details.

    • mediaOffendersList – The table of statistics for the media policer offenders list. For example: Media packets exceeding the policing value.

    • rogueMediaOffendersList – The table of statistics for the rogue media policer offenders list. For example:
      • UPD packets received in the media port range, but the destination UDP port is not allocated for media call
      • Media packets where source port, source address or destination address do not match
    • uFlowOffendersList – The table of statistics for the micro flow policer offenders list. For example: Microflow packet exceeding the policing rate.

 

srtpDecrptOffendersList / srtpDecryptOffendersIntStats Details

srtpDecrptOffendersList / srtpDecryptOffendersIntStats Details

ParameterDescription

addressContext

The name of the address context of the table entry.

destinationIpAddress

The destination IP address of the table entry.

destinationIpPort

The destination IP port of the table entry.

discardCount

The number of packets discarded.

etherType

The first ethertype found in the Ethernet packet.

interfaceGroupName

The name of the interface group of the table entry.

interfaceName

The name of the interface of the table entry.

ipProtocol

The IP Protocol of the table entry.

sourceIpAddress

The source IP address of the table entry.

sourceIpPort

The source IP port of the table entry.

sourceUnique

Determines if all discards were from a unique source address.

Offenders List Details

IP Policing Offenders Lists

ACL Offenders List – The Access Control List policer offenders list.

Aggregate Offenders List – The aggregate policer offenders list.

ARP Offenders List – The ARP policer offenders list.

Bad Ethernet IP Header Offenders List – The bad Ethernet/IP Header policer offenders list. Ethernet/IP headers are considered bad under the following conditions:

  • Only broadcast ARP packets are allowed; all other broadcast packets are considered bad.

  • Anything other than the following unicast/multicast ICMPV6 packets are considered bad.

    • Type 2 (Packet too big)
    • Type 3 (ICMP Time exceeded) Code 0 (hop limit exceeded).
    • Type 128 (ICMPV6 Echo request)
    • Type 129 (ICMPV6 Echo reply)
    • Type 135 Neighbor Solicitation
    • Type 136 Neighbor Advertisement
  • Anything other than the following unicast ICMPV4 packets are considered bad:

    • Type 0 Echo Reply

    • Type 3 Code 4 (Destination unreachable, fragmentation required)

    • Type 8 Echo Request

    • Type 11 Code 0 (Time Exceeded, TTL expired)

  • Only ICMPV6 neighbor discovery packets are allowed under multicast MAC address. Anything else is considered bad.

  • If DestMAC is zero, it is considered a bad packet.

  • Anything other than ethertype (IPV4, IPV6, VLAN) is considered bad.

  • IP Checksum error is considered bad.

  • IP version other than 4 or 6 is considered bad.

  • Bad IP Header length

  • Packet that is not long enough to contain IP header.

  • TTL == 0 is considered bad.

  • IPV4 with options set is considered bad.

  • IPV6 with initial next header field of 0, 60, or 43 is considered bad.

Discard Rule Offenders List – The table of statistics for the discard rule offenders list. For example: ACLi discard rule packets.

IPsec Decrypt Offenders List – The table of statistics for the IPsec Decrypt policer offenders list. For example:

  • Bad IPsec packet

  • Authentication error

  • Invalid SSID

  • IPsec protocol == AH

Media Offenders List – The table of statistics for the media policer offenders list. For example: Media packets exceeding the policing value.

Rogue Media Offenders List – The table of statistics for the rogue media policer offenders list. For example:

  • UDP packets received in the media port range, but the destination UDP port is not allocated for media call
  • Media packets where source port, source address or destination address do not match the allocated media resource

srtpDecryptOffendersList – The table of statistic for SRTP decrypt offenders list.  This contains SRTP packets which failed authentication or were flagged as replay packets. This could indicate malicious media packet attacks or it can be used to troubleshoot "no audio" calls using SRTP.

uFlow Offenders List – The table of statistics for the Micro Flow policer offenders list. For example: Microflow packet exceeding the policing rate.

 

Note: rogueMediaOffenders List vs. mediaOffendersList

Entries in the Media Offenders List are for allocated media packets that violate the policing rules. The associated call is sending too many media packets. This could indicate a possible “Theft of Service” scenario. Entries in the Rogue Media Offenders List are media packets that the SBC is receiving but no resource is allocated for the packet. This may be a Denial of Service attack or indication that a call was terminated but the other end is still sending media packets.

Command Example

> show table system ipPolicing aclOffendersList
                        INTERFACE                                         SOURCE
               ADDRESS  GROUP      INTERFACE  SOURCE IP      DESTINATION  IP      DESTINATION  IP        DISCARD
ROLE    INDEX  CONTEXT  NAME       NAME       ADDRESS        IP ADDRESS   PORT    IP PORT      PROTOCOL  COUNT
------------------------------------------------------------------------------------------------------------------
active  1      default             mgt1       10.10.10.10    10.22.22.22  123     1024         17        1
[ok][2013-07-19 16:52:29]

> request system ipPolicing resetOffendersList name aclOffendersList
result success
reason
[ok][2013-07-19 16:53:38]

> show table system ipPolicing aclOffendersList
                      INTERFACE             SOURCE                SOURCE
             ADDRESS  GROUP      INTERFACE  IP       DESTINATION  IP      DESTINATION  IP        DISCARD
ROLE  INDEX  CONTEXT  NAME       NAME       ADDRESS  IP ADDRESS   PORT    IP PORT      PROTOCOL  COUNT
----------------------------------------------------------------------------------------------------------
[ok][2013-07-19 16:53:51]

 


 

  • No labels