The following EMA Policer monitoring windows are explained in this section:

 

Offenders List details are provided below.

IP Policing Offenders Lists

ACL Offenders List – The Access Control List policer offenders list.

Aggregate Offenders List – The aggregate policer offenders list.

ARP Offenders List – The ARP policer offenders list.

Bad Ethernet IP Header Offenders List – The bad Ethernet/IP Header policer offenders list. Ethernet/IP headers are considered bad under the following conditions:

  • Only broadcast ARP packets are allowed; all other broadcast packets are considered bad.

  • Anything other than the following unicast/multicast ICMPV6 packets are considered bad.

    • Type 2 (Packet too big)
    • Type 3 (ICMP Time exceeded) Code 0 (hop limit exceeded).
    • Type 128 (ICMPV6 Echo request)
    • Type 129 (ICMPV6 Echo reply)
    • Type 135 Neighbor Solicitation
    • Type 136 Neighbor Advertisement
  • Anything other than the following unicast ICMPV4 packets are considered bad:

    • Type 0 Echo Reply

    • Type 3 Code 4 (Destination unreachable, fragmentation required)

    • Type 8 Echo Request

    • Type 11 Code 0 (Time Exceeded, TTL expired)

  • Only ICMPV6 neighbor discovery packets are allowed under multicast MAC address. Anything else is considered bad.

  • If DestMAC is zero, it is considered a bad packet.

  • Anything other than ethertype (IPV4, IPV6, VLAN) is considered bad.

  • IP Checksum error is considered bad.

  • IP version other than 4 or 6 is considered bad.

  • Bad IP Header length

  • Packet that is not long enough to contain IP header.

  • TTL == 0 is considered bad.

  • IPV4 with options set is considered bad.

  • IPV6 with initial next header field of 0, 60, or 43 is considered bad.

Discard Rule Offenders List – The table of statistics for the discard rule offenders list. For example: ACLi discard rule packets.

IPsec Decrypt Offenders List – The table of statistics for the IPsec Decrypt policer offenders list. For example:

  • Bad IPsec packet

  • Authentication error

  • Invalid SSID

  • IPsec protocol == AH

Media Offenders List – The table of statistics for the media policer offenders list. For example: Media packets exceeding the policing value.

Rogue Media Offenders List – The table of statistics for the rogue media policer offenders list. For example:

  • UDP packets received in the media port range, but the destination UDP port is not allocated for media call
  • Media packets where source port, source address or destination address do not match the allocated media resource

srtpDecryptOffendersList – The table of statistic for SRTP decrypt offenders list.  This contains SRTP packets which failed authentication or were flagged as replay packets. This could indicate malicious media packet attacks or it can be used to troubleshoot "no audio" calls using SRTP.

uFlow Offenders List – The table of statistics for the micro flow policer offenders list. For example: Microflow packet exceeding the policing rate.


Contrasting the Rogue Media Offenders List and the Media Offenders List:

Entries in the Media Offenders List are for allocated media packets that violate the policing rules. The associated call is sending too many media packets. This could indicate a possible “Theft of Service” scenario. Entries in the Rogue Media Offenders List are media packets that the SBC is receiving but no resource is allocated for the packet. This may be a Denial of Service attack or indication that a call was terminated but the other end is still sending media packets.

  • No labels