In this section:
The
IP Access Control Lists (ACLs) are filters and policers that deals only with packets associated with SIP message arriving at the
An attack is defined as an excessive packet discard rate (of various packet types), when the rate of incoming packets exceeds the Fill Rate. Fill Rate is measured in "packets per second" or "pps". The policing is done based on fill rate and token buckets. Fill rate determines the rate in which credits are applied to the bucket. So a 20 pps Fill Rate means one credit every 50 millisecond. If you have a Bucket Size of 50 packets and Fill Rate of 20 pps, the policer can handle a burst of 50 packets but if the 51st packet arrives 49 millisecond later, that packet will be dropped. This is because the Fill Rate applies credit every 50 millisecond so a packet arriving before that will get dropped. The Bucket Size allows room for sudden bursts of traffic, whereas the Fill Rate indicates the expected steady state flow of the traffic. For more information on Token Buckets and Fill Rates, please consult Token Bucket Policers.
Once recognized, a DoS attacks trigger alarms. Packet discard rate thresholds and duration are defined for recognizing the end of an attack which also triggers an alarm.
The policers monitor all packets. Packet discard rates are measured against the threshold rate and duration levels configured in the Discard Rate Profile. An alarm is triggered when a a threshold discard rate (or higher) is maintained for a prescribed duration. That alarm is cleared when a lesser threshold is met and that discard rate (or lower) is maintained for a prescribed duration. These alarms are configured on a system-wide basis.
On the
The
Once a received packet is validated by the hardware, it is placed into either a media or non-media stream. The
Dynamic blacklisting is a feature that detects abnormal events from end points, and blocks traffic from those end points for a configured period of time. Dynamic blacklisting is designed to detect misbehaving end points rather than prevent malicious attacks, for which the system already has other mechanisms.
Dynamic Blacklist (DBL) events and the actions to take for each event are configurable using a set of DBL rules in a DBL profile. The DBL profile is then assigned to a SIP trunk group. Any packets entering the system from that trunk group is then compared against the rules configured in that DBL profile.
The The enhanced DBL Profile is configured to contain one or more rules. The profile is then associated with a SIP Trunk Group. The rules contain criteria and action. This rejectWithResponse
action, all SIP requests from that endpoint are rejected with the response configured in the rule for the configured effective period. When the timer expires, the entry is removed.badSipMessage
, and endpoint CAC rejection.For more information, refer to:
A summary of the high level
Initially, wire-rate policers are applied as soon as the
The term "wire-rate policer" represents the steps performed before registered/registering peer policing/aggregate policing.
Non-signaling packets are put into specific aggregate policers based on protocol type (management, overhead, ICMP, IKE, ARP, media).
Media is policed at the rate implied by the codec selected during call setup. For the other protocols, a system-installed ACL is used.
When an operator configures multiple SIP signaling ports on the same IP address in the same address context,
The default system ACL for SIP signaling ports uses a wild-carded protocol, source IP, source port number, destination port number.
If you need to police packets sent to individual SIP signaling ports, configure 'user' IP ACLs for each SIP signaling port. In an IP ACL for access deployment, specify not only destination address (SIP signaling address), but also protocol (UDP/TCP) and destination port number (SIP signaling port's UDP/TCP port number). In a case where SIP port is used for a peering deployment, the peer's IP address (source IP) and port number (source port) are frequently known and can additionally be specified in the IP ACL.
The table below depicts IP ACLs and the default system ACL for two SIP signaling ports configured with the same IP address (10.10.10.20) with port numbers 5060 and 5070 for peering scenario where port number 5060 supports both SIP-UDP and SIP-TCP and port number 5070 supports SIP-UDP only. The two peers' addresses/ports are 20.20.20.20:5080 (Peer A) and 30.30.30.30:5090 (Peer B), respectively.
Configuration of the IP ACLs is accomplished using lower precedence values ("higher priority") for the IP ACLs and fully specified for the protocol, source-IP, and source-Port.
The The To allow the Internet Control Message Protocol (ICMP) packets from different routers when the For the traceroute
utility provided by the GNU/Linux is utilized as a base for this functionality. This feature handles and processes the traceroute
requests from the Signaling Gateway (SG).traceroute
functionality for a peer IP address is invoked by sending a traceroute
request message to the Traceroute
module. The message contains details of the peer's IP address, which is processed by the TRCRT/Traceroute
module. This feature supports the following scenarios:traceroute
request to log the route for the blacklisted server.traceroute
request to log the route for the peer GW server.traceroute
starts, an Access Control List (ACL) entry is configured. As soon as the traceroute
output is available, this ACL entry is removed.traceroute
utility to work, a higher precedence "IP ACL rule" is created to accept ICMP traffic on the SIP Signaling port. This rule overrides any "deny-all" or "deny-ICMP" User ACL rule configured by the Administrator. This higher precedence "IP ACL rule" is created before the start of traceroute
for an endpoint, and is be removed as soon as the traceroute
is over. Thus, for the brief duration of traceroute
, the ICMP traffic to the Signaling port is allowed from any IP address, even if "deny-ICMP" or "deny-all" User ACL rules are configured in the system.
The The following fields are added to the object When these fields are configured and the object For a High Availability (HA) pair, the platformAuditLogs
to support pushing the audit logs to a remote server.platformAuditLogs
is enabled, the /etc/
rsyslog.conf
file is configured automatically to send the audit logs to the remote server. The
file sends the/etc/
rsyslog.conf /var/log/audit/audit.log
to the remote server's /var/log/messages
file. The remote server's /etc/rsyslog.conf
file must match the configuration of the platformAuditLogs
is enabled.platformAuditLogs
is disabled.
file is updated both on the Active and the Standby /etc/
rsyslog.conf