Additional sections:
In this section:
The
IP Access Control Lists (ACLs) are filters and policers that deals only with packets associated with SIP message arriving at the SBC. It is not concerned with SIP message leaving the SBC. ACLs protect the SBC from attacks by preventing traffic from all other IP addresses except those specified on the "white list". However, only signaling and management IP traffic is subjected to IP ACL filtering. Media IP traffic (such as RTCP, SRTCP, SRTP and RTP) is not subjected to IP ACL filtering. For more information on IP ACLs, see Types of ACLs.
An attack is defined as an excessive packet discard rate (of various packet types), when the rate of incoming packets exceeds the Fill Rate. Fill Rate is measured in "packets per second" or "pps". The policing is done based on fill rate and token buckets. Fill rate determines the rate in which credits are applied to the bucket. So a 20 pps Fill Rate means one credit every 50 millisecond. If you have a Bucket Size of 50 packets and Fill Rate of 20 pps, the policer can handle a burst of 50 packets but if the 51st packet arrives 49 millisecond later, that packet will be dropped. This is because the Fill Rate applies credit every 50 millisecond so a packet arriving before that will get dropped. The Bucket Size allows room for sudden bursts of traffic, whereas the Fill Rate indicates the expected steady state flow of the traffic. For more information on Token Buckets and Fill Rates, please consult Token Bucket Policers.
Once recognized, a DoS attacks trigger alarms. Packet discard rate thresholds and duration are defined for recognizing the end of an attack which also triggers an alarm.
The policers monitor all packets. Packet discard rates are measured against the threshold rate and duration levels configured in the Discard Rate Profile. An alarm is triggered when a a threshold discard rate (or higher) is maintained for a prescribed duration. That alarm is cleared when a lesser threshold is met and that discard rate (or lower) is maintained for a prescribed duration. These alarms are configured on a system-wide basis.
On SBC platforms, network interfaces may be configured with IP policers. Media policing is enabled/disabled on a system-wide basis and operates on a per-media flow basis. The policer configuration, status, and statistics are accessible through EMA or CLI.
The
Once a received packet is validated by the hardware, it is placed into either a media or non-media stream. SBC decides if a packet is a media packet, signaling packet, or a management packet.
Dynamic blacklisting is a feature that detects abnormal events from end points, and blocks traffic from those end points for a configured period of time. Dynamic blacklisting is designed to detect misbehaving end points rather than prevent malicious attacks, for which the system already has other mechanisms.
Dynamic Blacklist (DBL) events and the actions to take for each event are configurable using a set of DBL rules in a DBL profile. The DBL profile is then assigned to a SIP trunk group. Any packets entering the system from that trunk group is then compared against the rules configured in that DBL profile.
A summary of the high level
Initially, wire-rate policers are applied as soon as the SBC receives a packet at NIF (see Figure 1 for the flow).
The term "wire-rate policer" represents the steps performed before registered/registering peer policing/aggregate policing.
When an operator configures multiple SIP signaling ports on the same IP address in the same address context,
The default system ACL for SIP signaling ports uses a wild-carded protocol, source IP, source port number, destination port number.
If you need to police packets sent to individual SIP signaling ports, configure 'user' IP ACLs for each SIP signaling port. In an IP ACL for access deployment, specify not only destination address (SIP signaling address), but also protocol (UDP/TCP) and destination port number (SIP signaling port's UDP/TCP port number). In a case where SIP port is used for a peering deployment, the peer's IP address (source IP) and port number (source port) are frequently known and can additionally be specified in the IP ACL.
The table below depicts IP ACLs and the default system ACL for two SIP signaling ports configured with the same IP address (10.10.10.20) with port numbers 5060 and 5070 for peering scenario where port number 5060 supports both SIP-UDP and SIP-TCP and port number 5070 supports SIP-UDP only. The two peers' addresses/ports are 20.20.20.20:5080 (Peer A) and 30.30.30.30:5090 (Peer B), respectively.
Configuration of the IP ACLs is accomplished using lower precedence values ("higher priority") for the IP ACLs and fully specified for the protocol, source-IP, and source-Port.