DDoS Prevention for Access Environments
This section presents recommended settings and guidelines for DDoS prevention in an access environment.
- PBRB - Policy Based Realm Bridging Model
- SNB - SIP NAT Bridge Model
- SSNHTN - Single SIP NAT Hosted in Trusted Network Model
Supported Platforms
| Platform | Flow Table | Memory |
|---|---|---|
| AP6350 | 2000000 | 48G |
| AP6300 | 1000000 | 16G |
| AP4600 | 1000000 | 16G |
| AP6100 | 1000000 | 16G |
| AP1100 | 1000000 | 4G |
| VME | 1000000 | 4G |
| AP3900 | 1000000 | 16G |
Observations/Limitations
The settings outlined in this appendix are beneficial when facing malicious or non-malicious flood attacks, such as a REGISTER avalanche following a network outage. By limiting the amount of untrusted traffic to the SBC, the registration rate allowed will be throttled and the SBC will not be overrun by the high rate of registrations. However, there is an opportunity cost between the level of protection against a DDoS flood attack and the convergence time for this type of avalanche condition. For example, raising the percentage of untrusted bandwidth allowed will inevitably allow more untrusted traffic to traverse the SBC, and minimize the convergence time. The opportunity cost here is higher CPU usage during the flood, a result of higher demand on the processor due to the increased level of registrations it's required to process.
Additionally, when set as an option in the sip-configuration, reg-overload-protect requires the SBC temporarily promote a registering endpoint upon receipt of a 401/407 response from the "real" registrar. This temporary promotion is in advance of the real and final promotion, which takes place following the 200 OK response to a REGISTER request containing authentication credentials. During a registration avalanche from untrusted sources, temporary promotion based on the initial REGISTER request sent from a specific source helps minimize the amount of time it will take to promote the collective untrusted sources, to trusted sources, effectively restoring service in the event of an outage as quickly as possible. This is also referred to as: minimizing the convergence time. The addition of any SIP option relevant to DDoS, including reg-overload-protect, would require additional testing. For customers with specific convergence requirements, additional research must be conducted to arrive at an appropriate DDoS configuration prior to deployment.
A limitation of the configuration parameters described in this appendix is the handling of SIP message spoofing. When a trusted user is "spoofed" by another user or a defective trusted user sends many SIP messages, the CPU utilization of the SBC may spike to 100%. One safe-guard implemented as part of this appendix is the establishment of a setting for maximum-signaling-threshold, defined in the realm-configuration object. When set, this provides an entry level amount of protection by removing a violating source from the trusted queue once the defined threshold is exceeded. To further handle this scenario, there are additional advanced DDoS configurations that can be set. For example: if the desired outcome is to deny violating sources from the hardware level, the access-control-trust-level should be set to low in the realm-configuration object. This also requires the configuration of the untrusted-signal-threshold to properly demote offending untrusted users to the deny list. If one wishes to move an endpoint back into the untrusted queue the access-control-trust-level of "medium" should be used.
The DDoS configuration recommendations in this appendix are meant as a general baseline to help protect the SBC from DDoS. For more complete protection, DDoS configurations should be determined by the examining the applicable environment and customizing based on the environment driven traffic flows and load levels.
DDoS Access - Configuration Parameters
The following sections will discuss those DDoS parameter pertinent to the scope of this appendix. The parameters used to satisfy the requirements and scope of this appendix cannot be considered to be exhaustive. The parameters used are those which will be modified for this basic configuration. These parameters are in three configuration areas: Media Manager, Realm Configuration, and SIP Interface. The maximum signaling bandwidth per platform should be set to keep the CPU usage below 90%.
Media Manager
The following media-manager parameters have been calculated for each configuration model.
- max-untrusted-signaling - Maximum percentage of the allocated max-signaling-bandwidth for untrusted traffic (%)
- min-untrusted-signaling - Minimum percentage of the allocated max-signaling-bandwidth for untrusted traffic (%)
- max-signaling-bandwidth - The maximum bandwidth that the SBC can withstand (bytes/sec)
These parameters are set to values that do not allow a SIP Register flood attack to increase the total CPU utilization percentage to over 89%. The background trusted traffic must not be adversely affected.
The recommended values for these media-manager parameters for each test scenario are listed by system model.
- min-media-allocation
- min-trusted-allocation
- Deny-allocation
For this appendix, these defaults will be used and are indicated in the platform results later by system model.
Realm Configuration
The following realm-config parameters are used in the basic DDoS configuration.
| Parameter | Access Realm | Core Realm |
|---|---|---|
| access-control-trust-level | low | High |
| invalid-signal-threshold | 1 | 0 |
| average-rate-limit | 0 | 0 |
| maximum-signal-threshold | 4000 | 0 |
| untrusted-signal-threshold | 1 | 0 |
The maximum-signal-threshold of 4000 is very high so as not to impact service. It should be reduced to a number close to the maximum number of signaling messages from one client within the tolerance-window on the realm, which by default is 30 seconds. Base the threshold on an actual trace to account for the extraneous messages that are normally not considered, and make sure to account for network loss and/or renegotiations.
DDoS-2 show commands
DDoS-2 is supported for platforms: Acme Packet 4600, Acme Packet 6100, Acme Packet 6300, and Acme Packet 6350. DDoS-2 increases the number of trusted endpoints to a maximum of 500K for Acme Packet 4600/6100/6300 and 750K for Acme Packet 6350. It also increases the number of denied endpoints to a maximum 96K for Acme Packet 6350 and 64K for Acme Packet 4600/6100/6300
ORACLE#show acl info
Access Control List Statistics:
| # of entries | % utilization | Reserved Entry Count
-----------------------------------------------------------------------
Denied | 0 0.0% 32000
Trusted | 3 0.0% 8000
Media | 2 0.0% 64000
Untrusted | 1 0.1% 2000
Dynamic Trusted | 4800 1.9% 250000
INTFC | 2 - -
-----------------------------------------------------------------------
Total CAM space used = 8 of 126976 (99.99% free)
Total HASH-table space used = 4800 of 250000 (98.08% free)
---------------------------------------------------------------------
ORACLE#trusted entries: intf:vlan src-IP dest-IP/mask port prot type index recv drop 0/0:0 0.0.0.0 177.1.1.100 ICMP static 65537 0 0 1/0:0 0.0.0.0 188.1.1.200 ICMP static 65539 0 0 1/0:0 0.0.0.0 188.1.1.200 5060 UDP static 65541 333676 0 dynamic trusted entries sharing IFD 0x1e600: 0/0:0 14.0.2.130 177.1.1.100 5060 UDP dynamic 132096 2 0 0/0:0 14.0.10.130 177.1.1.100 5060 UDP dynamic 133120 0/0:0 14.0.18.130 177.1.1.100 5060 UDP dynamic 134144 0/0:0 14.0.26.130 177.1.1.100 5060 UDP dynamic 135168 0/0:0 14.0.34.130 177.1.1.100 5060 UDP dynamic 136192 dynamic trusted entries sharing IFD 0x1e601: 0/0:0 14.0.2.132 177.1.1.100 5060 UDP dynamic 132097 2 0 0/0:0 14.0.10.132 177.1.1.100 5060 UDP dynamic 133121 0/0:0 14.0.18.132 177.1.1.100 5060 UDP dynamic 134145 0/0:0 14.0.26.132 177.1.1.100 5060 UDP dynamic 135169 0/0:0 14.0.34.132 177.1.1.100 5060 UDP dynamic 136193 dynamic trusted entries sharing IFD 0x1e602: 0/0:0 14.0.2.134 177.1.1.100 5060 UDP dynamic 132098 2 0 0/0:0 14.0.10.134 177.1.1.100 5060 UDP dynamic 133122 0/0:0 14.0.18.134 177.1.1.100 5060 UDP dynamic 134146 0/0:0 14.0.26.134 177.1.1.100 5060 UDP dynamic 135170 0/0:0 14.0.34.134 177.1.1.100 5060 UDP dynamic 136194
DDoS Configuration Settings per Platform in Access Environments
Changes under media-manager require system reboot to take effect. Be sure to follow precautions to reboot SBC(s) to unnecessary service outage during this execution.
Acme Packet 1100 720 Flow Table 4G memory –copper single GigE
| Platform: | AP 1100 |
| Flow Table: | 720 |
| Memory: | 4 GB |
| Software Release: | ECZ8.1.0 |
The following table lists the five parameters germane to DDoS Configuration Settings Access Environments for the Acme Packet 1100 and their settings in the Not-denied and denied realms.
| Parameter | Not Denied realm | Denied realm |
|---|---|---|
| access-control-trust-level | Medium | low |
| invalid-signal-threshold | 2 | 1 |
| maximum-signal-threshold | 25 | 25 |
| untrusted-signal-threshold | 10 | 1 |
| nat-trust-threshold | 0 | 0 |
| deny-period | 30 | 1800 |
The media-manager configuration should be set as suggested in the following table for the Acme Packet 1100.
| Parameter | value |
|---|---|
| max-signaling-packets | 10000 |
| max-untrusted-signaling | 7 |
| min-untrusted-signaling | 4 |
| tolerance-window | 30 |
Acme Packet 3900 16K Flow Table 16G memory – copper single GigE
| Platform: | AP 3900 |
| Flow Table: | 16000 |
| Memory: | 16 GB |
| Software Release: | ECZ8.1.0 |
The following table lists the five parameters germane to DDoS Configuration Settings Access Environments for the Acme Packet 3900 and their settings in the Not-denied and denied realms.
| Parameter | Not Denied realm | Denied realm |
|---|---|---|
| access-control-trust-level | Medium | low |
| invalid-signal-threshold | 2 | 1 |
| maximum-signal-threshold | 25 | 25 |
| untrusted-signal-threshold | 10 | 1 |
| nat-trust-threshold | 0 | 0 |
| deny-period | 30 | 1800 |
The media-manager configuration should be set as suggested in the following table for the Acme Packet 3900.
| Parameter | value |
|---|---|
| max-signaling-packets | 40000 |
| max-untrusted-signaling | 7 |
| min-untrusted-signaling | 7 |
| tolerance-window | 30 |
Acme Packet 4600 1000000 Flow Table 16G memory –copper single GigE
| Platform: | AP 4600 |
| Flow Table: | 1000000 |
| Memory: | 16 GB |
| Software Release: | SCZ8.1.0 |
The following table lists the five parameters germane to DDoS Configuration Settings Access Environments for the Acme Packet 4600 and their settings in the Not-denied and denied realms.
| Parameter | no-Denied | Denied |
|---|---|---|
| access-control-trust-level | Medium | low |
| invalid-signal-threshold | 2 | 1 |
| maximum-signal-threshold | 25 | 25 |
| untrusted-signal-threshold | 10 | 2 |
| nat-trust-threshold | 0 | 0 |
| deny-period | 30 | 1800 |
The media-manager configuration should be set as suggested in the following table for the Acme Packet 4600.
| Parameter | value |
|---|---|
| max-signaling-bandwidth | 2651610 |
| max-untrusted-signaling | 15 |
| min-untrusted-signaling | 12 |
| app-signaling-bandwidth | 0 |
| tolerance-window | 30 |
Acme Packet 6100 1000000 Flow Table 16G memory –copper single GigE
| Platform: | AP 6100 |
| Flow Table: | 1000000 |
| Memory: | 16 GB |
| Software Release: | SCZ8.1.0 |
The following table lists the five parameters germane to DDoS Configuration Settings Access Environments for the Acme Packet 6100 and their settings on the core and peer realms.
| parameter | Core realm-config | Peer Realm-config |
|---|---|---|
| access-control-trust-level | high | low |
| average-rate-limit | 0 | 0 |
| invalid-signal-threshold | 0 | 1 |
| maximum-signal-threshold | 0 | 4000 |
| untrusted-signal-threshold | 0 | 1 |
The media-manager configuration should be set as suggested in the following table for the Acme Packet 6100 in the respective model.
| Parameter | PBRB Model | SSNHTN Model | SNB Model |
|---|---|---|---|
| max-signaling-bandwidth | 7070960 | 7070960 | 7070960 |
| max-untrusted-signaling | 1 | 1 | 1 |
| min-untrusted-signaling | 1 | 1 | 1 |
| tolerance-window | 30 | 30 | 30 |
Acme Packet 6300 1000000 Flow Table 16G memory - copper single GigE
| Platform: | AP 6300 |
| Flow Table: | 1000000 |
| Memory: | 16 GB |
| Software Release: | SCZ8.1.0 |
The following table lists the five parameters germane to DDoS Configuration Settings Access Environments for the Acme Packet 6300 and their settings on the core and peer realms.
| parameter | Core realm-config | Peer Realm-config |
|---|---|---|
| access-control-trust-level | high | low |
| average-rate-limit | 0 | 0 |
| invalid-signal-threshold | 0 | 1 |
| maximum-signal-threshold | 0 | 4000 |
| untrusted-signal-threshold | 0 | 1 |
The media-manager configuration should be set as suggested in the following table for the Acme Packet 6300 in the respective model.
| Parameter | PBRB Model | SSNHTN Model | SNB Model |
|---|---|---|---|
| max-signaling-bandwidth | 7070960 | 7070960 | 7070960 |
| max-untrusted-signaling | 1 | 1 | 1 |
| min-untrusted-signaling | 1 | 1 | 1 |
| tolerance-window | 30 | 30 | 30 |
Acme Packet 6350 2000000 Flow Table 48GB memory -copper single GigE
| Platform: | AcmePacket 6350 |
| Flow Table: | 2000000 |
| Memory: | 48 GB |
| Software Release: | SCZ8.1.0 |
The following table lists the five parameters germane to DDoS Configuration Settings Access Environments for the Acme Packet 6350 and their settings on the core and peer realms.
| parameter | Core realm-config | Peer Realm-config |
|---|---|---|
| access-control-trust-level | high | low |
| average-rate-limit | 0 | 0 |
| invalid-signal-threshold | 0 | 1 |
| maximum-signal-threshold | 0 | 4000 |
| untrusted-signal-threshold | 0 | 2 |
The media-manager configuration should be set as suggested in the following table for the Acme Packet 6350 in the respective model.
| Parameter | PBRB Model | SSNHTN Model | SNB Model |
|---|---|---|---|
| max-signaling-bandwidth | 7070960 | 7070960 | 7070960 |
| max-untrusted-signaling | 15 | 13 | 12 |
| min-untrusted-signaling | 14 | 12 | 11 |
| tolerance-window | 30 | 30 | 30 |
VME 720 Flow Table 4G memory
| Platform: | VME |
| Flow Table: | 720 |
| Memory: | 4 GB |
| Software Release: | SCZ8.1.0 |
The following table lists the five parameters germane to DDoS Configuration Settings Access Environments for the VME and their settings in the Not-denied and denied realms.
| Parameter | Not Denied realm | Denied realm |
|---|---|---|
| access-control-trust-level | Medium | low |
| invalid-signal-threshold | 2 | 1 |
| maximum-signal-threshold | 25 | 25 |
| untrusted-signal-threshold | 10 | 1 |
| nat-trust-threshold | 0 | 0 |
| deny-period | 30 | 1800 |
The media-manager configuration should be set as suggested in the following table for the VME.
| Parameter | value |
|---|---|
| max-signaling-bandwidth | 100000 |
| max-untrusted-signaling | 7 |
| min-untrusted-signaling | 4 |
| tolerance-window | 30 |
