Levels of DoS Protection
The multi-level Oracle® Enterprise Session Border Controller Denial of Service protection consists of the following strategies:
- Fast path filtering/access control: involves access control for signaling packets destined for the Oracle® Enterprise Session Border Controller host processor as well as media (RTP) packets. The SBC accomplishes media filtering using the existing dynamic pinhole firewall capabilities. Fast path filtering packets destined for the host processor require the configuration and management of a trusted list and a deny list for each Oracle® Enterprise Session Border Controller realm (although the actual devices can be dynamically trusted or denied by the Oracle® Enterprise Session Border Controller based on configuration). You do not have to provision every endpoint/device on the Oracle® Enterprise Session Border Controller, but instead retain the default values.
- Host path protection: includes flow classification, host path policing and unique signaling flow policing. Fast path filtering alone cannot protect the Oracle® Enterprise Session Border Controller host processor from being overwhelmed by a malicious attack from a trusted source. The host path and individual signaling flows must be policed to ensure that a volume-based attack will not overwhelm the Oracle® Enterprise Session Border Controller’s normal call processing; and subsequently not overwhelm systems beyond it. The Oracle® Enterprise Session Border Controller must classify each source based on its ability to pass certain criteria that is signaling- and application-dependent. At first each source is considered untrusted with the possibility of being promoted to fully trusted. The Oracle® Enterprise Session Border Controller maintains two host paths, one for each class of traffic (trusted and untrusted), with different policing characteristics to ensure that fully trusted traffic always gets precedence.
- Host-based malicious source detection and isolation – dynamic deny list. Malicious sources can be automatically detected in real-time and denied in the fast path to block them from reaching the host processor.
