DDoS Prevention for Peering Environments
This section presents recommended settings and guidelines for DDoS prevention in a peering environment.
- PBRB - Policy Based Realm Bridging Model
- SNB - SIP NAT Bridge Model
- SSNHTN - Single SIP NAT Hosted in Trusted Network Model
Supported Platforms
| Platform | Flow Table Size | Memory |
|---|---|---|
| AP6350 | 2000000 | 48G |
| AP6300 | 1000000 | 16G |
| AP4600 | 1000000 | 16G |
| AP6100 | 1000000 | 16G |
Observations/Limitations
The settings outlined in this appendix are beneficial when facing malicious attacks from any unknown sources; this is a typical concern when deploying peering traffic on the public Internet. Setting access-control-trust-level to "high" in both peer realm and an ACL (access-control) will yield an implicit deny scenario where traffic from unknown source IP addresses will be silently discarded at the hardware level in order to protect both the SBC's host CPU and core devices from being attacked. The design of this configuration is not to prevent cases where malicious attacks are generated behind the trusted source IP within peer's network, since all traffic from peer is consider as "trusted". Therefore, the SBC will forward all traffic from trusted sources to the core network as allowed by the system's hardware or software capabilities. There is no demotion event when access-control-trust-level at realm is set "high" as packets from trusted peer endpoint are always allocated the trusted queue for processing.
An alternative DDoS prevention practice in peering is to set access-control-trust-level to "medium", but this type of configuration requires settings of "max-untrusted-signaling, min-untrusted-signaling, and maximum-signal-threshold which vary greatly from one customer to the next. Please contact your Sales Representative for more information on Professional Services available from Oracle to design comprehensive security solutions.
As the media-manager is a global configuration element, it assumes that the SBC has not been configured in hybrid mode, in which the SBC is configured to support both Access and Peering traffic. Further, it assumes the peer realm MUST have a sip-interface associated in order for the DDoS prevention configuration to be effective. Alternatively, in a Nested/Pseudo realm configuration, DDoS prevention configuration associated with the parent realm (which has a sip-interface associated) will apply.
Configuration Parameters for DDoS Prevention in Peering Environments
The following sections will discuss those DDoS prevention parameters pertinent to the scope of this appendix. These parameters are found in three configuration areas: Media Manager, Realm Configuration, and SIP Interface.
Media Manager
The following media-manager parameters have been calculated for each configuration model.
- max-untrusted-signaling - Maximum percentage of the allocated max-signaling-bandwidth for untrusted traffic (%)
- min-untrusted-signaling - Minimum percentage of the allocated max-signaling-bandwidth for untrusted traffic (%)
- max-signaling-bandwidth - The maximum bandwidth that the SBC can withstand (bytes/sec)
Typically, these parameters are not applied in peering configuration as the source of peer traffic is assumed to be trusted. However, because these parameters values are set at default '0', with the purpose of maximizing the CPU resource for trusted traffic, it is suggested to minimize these values to '1' so that to guarantee optimal performance on trusted peer traffic.
The recommended values for these media-manager parameters for each test scenario are listed later by system model.
Max-signaling-bandwidth is not present /supported with Software Datapath (VM, COTS, 1100, 3900).
The following are Media Manager parameters that have platform specific defaults (not configurable). show acl info ACLI command shows the details from each platform.
- min-media-allocation
- min-trusted-allocation
- Deny-allocation
For this appendix, these defaults will be used and are indicated in the platform results later by system model.
Realm Configuration
The following realm-config parameters are used in the basic DDoS configuration.
| Parameter | Peer Realm | Core Realm |
|---|---|---|
| access-control-trust-level | high | High |
| invalid-signal-threshold | 0 | 0 |
| average-rate-limit | 0 | 0 |
| maximum-signal-threshold | 0 | 0 |
| untrusted-signal-threshold | 0 | 0 |
SIP Interface
The following sip-interface->sip-ports parameter SHOULD be used for Peering environments.
Setting "allow-anonymous" to agents-only will allow the SBC to reject requests sent by any IP which has not yet been defined as a "Session-Agent" in the SBC configuration. In Peering configurations, the customer SHOULD define each IP of a peer's device as a "session-agent" for optimal purpose.
| Parameter | Peer Realm | Core Realm |
|---|---|---|
| allow-anonymous | agents-only | All |
Although it is not recommended, but it is still possible to allow packets from an IP that has not yet defined as a Session-Agent, by setting "allow-anonymous" to "all". In this setup, the SBC will simply allow the request under DDoS threshold opposed to rejecting it with a 403 Forbidden response.
Session Agent and Access-Control
Any peering signaling device SHOULD be defined as a Session-Agent in SBC configuration. Further, for proper DDoS prevention, it requires explicitly configuring one access control per address of each Session-Agent address or other address (that has not yet been defined as a session-agent).
| Parameter | Realm |
|---|---|
| realm-id | peer |
| constraints | enabled (optional) |
| max-sessions | X |
| max-burst-rate | Y |
| max-sustain-rate | Z |
| time-to-resume | 60 sec |
| burst-rate-window | 1 sec |
| sustain-rate-window | 30 sec |
There is no demotion event when access-control-trust-level in the realm-config is set "high" as packets from the trusted peer endpoint are always allocated in the trusted queue for processing. It becomes a concern when there is excessive amount of SIP traffic sent by a customer which is beyond the SLA. Session constraints under session-agent can be deployed to further mitigate this problem. Listed above are a small set of constraints to provide basic level of call admission control in order to ensure that a session-agent's capacity is not exceeded, or the SBC will reject the service with 503 Service Unavailable. Please be advised that these settings are only optional. Customers may consider them when deploying their service in a Peering environment with or without DDoS configuration.
- max-sessions (X) - Define a maximum number of sessions (inbound and outbound) allowed by the session agent. Once the session limit is reached, the SBC will start rejecting new service with 503 Service Unavailable until the number of seconds in time-to-resume has elapsed.
- max-burst-rate (Y) - Define a number to set the maximum rate of call (per second) this session agent will allow. Once the rate limit is reached, the SBC will start rejecting new service with 503 Service Unavailable until the number of seconds in time-to-resume has elapsed.
- max-sustain-rate (Z) - In general, set this to the average call rate (per second) which that SA can sustain. Once the average rate limit calculated in (Calls made in current + previous window) / Delta (current second - start of previous window), exceeds the limit Z , the SBC will be start rejecting new service with 503 Service Unavailable until the number of seconds in time-to-resume has elapsed.
| Parameter | Realm | Realm |
|---|---|---|
| realm-id | peer | Core |
| source-address | n.n.n.n/[mask bit is optional] (peer SA IP, or non-SA IP) | [m.m.m.m]/ [mask bit is optional] (core SA IP or non-SA IP) |
| application-protocol | SIP | SIP |
| transport | ALL | ALL |
| access | permit | Permit |
| trust-level | high | High |
| minimum-reserved-bandwidth | 0 | 0 |
| invalid-signal-threshold | 0 | 0 |
| maximum-signal-threshold | 0 | 0 |
| untrusted-signal-threshold | 0 | 0 |
| deny-period | 30 | 30 |
In core realm, it is recommended to configure an access-control on per session-agent basis instead of putting it into a single source-subnet/mask. That will give the core session-agent its own flow versus sharing one flow for multiple devices or the entire subnet.
DDoS Configuration Settings per Platform in Peering Environments
Below are the recommended parameters setting for each platform in a SIP Peering model.
Changes under media-manager require system reboot to take effect. Be sure to follow precautions to reboot SBC(s) to unnecessary service outage during this execution.
Acme Packet 4600 1000000 Flow Table 16G memory - copper single GigE
| Platform: | AP 4600 |
| Flow Table: | 1000000 |
| Memory: | 16 GB |
| Software Release: | SCZ8.1.0 |
The following table lists the five parameters germane to DDoS Configuration Settings in Peering Environments for the Acme Packet 4600 and their settings on the core and peer realms.
| parameter | Core realm-config | Peer Realm-config |
|---|---|---|
| access-control-trust-level | high | low |
| average-rate-limit | 0 | 0 |
| invalid-signal-threshold | 0 | 0 |
| maximum-signal-threshold | 0 | 0 |
| untrusted-signal-threshold | 0 | 0 |
The media-manager configuration should be set as suggested in the following table for the Acme Packet 4600 in the respective model.
| Parameter | PBRB Model | SSNHTN Model | SNB Model |
|---|---|---|---|
| max-signaling-bandwidth | 2651610 | 2651610 | 2651610 |
| max-untrusted-signaling | 1 | 1 | 1 |
| min-untrusted-signaling | 1 | 1 | 1 |
| tolerance-window | 30 | 30 | 30 |
Acme Packet 6100 1000000 Flow Table 16G memory - copper single GigE
| Platform: | AP 6100 |
| Flow Table: | 1000000 |
| Memory: | 16 GB |
| Software Release: | SCZ8.1.0 |
The following table lists the five parameters germane to DDoS Configuration Settings in Peering Environments for the Acme Packet 6100 and their settings on the core and peer realms.
| parameter | Core realm-config | Peer Realm-config |
|---|---|---|
| access-control-trust-level | high | high |
| average-rate-limit | 0 | 0 |
| invalid-signal-threshold | 0 | 0 |
| maximum-signal-threshold | 0 | 0 |
| untrusted-signal-threshold | 0 | 0 |
The media-manager configuration should be set as suggested in the following table for the Acme Packet 6100 in the respective model.
| Parameter | PBRB Model | SSNHTN Model | SNB Model |
|---|---|---|---|
| max-signaling-bandwidth | 7070960 | 7070960 | 7070960 |
| max-untrusted-signaling | 1 | 1 | 1 |
| min-untrusted-signaling | 1 | 1 | 1 |
| tolerance-window | 30 | 30 | 30 |
Acme Packet 6300 1000000 Flow Table 16G memory - copper single GigE
| Platform: | AP 6300 |
| Flow Table: | 1000000 |
| Memory: | 16 GB |
| Software Release: | SCZ8.1.0 |
The following table lists the five parameters germane to DDoS Configuration Settings in Peering Environments for the Acme Packet 6300 and their settings on the core and peer realms.
| parameter | Core realm-config | Peer Realm-config |
|---|---|---|
| access-control-trust-level | high | high |
| average-rate-limit | 0 | 0 |
| invalid-signal-threshold | 0 | 0 |
| maximum-signal-threshold | 0 | 0 |
| untrusted-signal-threshold | 0 | 0 |
The media-manager configuration should be set as suggested in the following table for the Acme Packet 6300 in the respective model.
| Parameter | PBRB Model | SSNHTN Model | SNB Model |
|---|---|---|---|
| max-signaling-bandwidth | 7070960 | 7070960 | 7070960 |
| max-untrusted-signaling | 1 | 1 | 1 |
| min-untrusted-signaling | 1 | 1 | 1 |
| tolerance-window | 30 | 30 | 30 |
Acme Packet 6350 2000000 Flow Table 48G memory - copper single GigE
| Platform: | AP 6350 |
| Flow Table: | 2000000 |
| Memory: | 48 GB |
| Software Release: | SCZ8.0.0 |
The following table lists the five parameters germane to DDoS Configuration Settings in Peering Environments for the Acme Packet 6350 and their settings on the core and peer realms.
| parameter | Core realm-config | Peer Realm-config |
|---|---|---|
| access-control-trust-level | high | low |
| average-rate-limit | 0 | 0 |
| invalid-signal-threshold | 0 | 1 |
| maximum-signal-threshold | 0 | 4000 |
| untrusted-signal-threshold | 0 | 2 |
The media-manager configuration should be set as suggested in the following table for the Acme Packet 6350 in the respective model.
| Parameter | PBRB Model | SSNHTN Model | SNB Model |
|---|---|---|---|
| max-signaling-bandwidth | 7070960 | 7070960 | 7070960 |
| max-untrusted-signaling | 15 | 13 | 12 |
| min-untrusted-signaling | 14 | 12 | 11 |
| tolerance-window | 30 | 30 | 30 |
