IDS Phase 2 (Advanced Reporting)

This feature supplements the IDS reporting and protection services. IDS Phase 2 provides enterprise users with additional tools to identify, monitor, and control suspicious, and possibly, malicious traffic patterns. IDS Phase 2 requires the IDS Advanced Reporting license.

Rejected SIP Calls

IDS Phase 2 provides tools to monitor and record rejected SIP calls. A sudden or gradual increase in such calls can, but need not, indicate malicious intent.

IDS Phase 2 provides a global counter that increments with each SIP INVITE or REGISTER message that is rejected by the Acme Packet Oracle® Enterprise Session Border Controller, and offers the option of generating a syslog message in response to call rejection.

Rejected Calls Counter

The rejected calls counter is a 32-bit global counter that records the total number of rejected SIP calls. Such calls have been rejected by the Oracle® Enterprise Session Border Controller with the following response codes: 400, 403, 404, 405, 408, 413, 416, 417, 420, 423, 480, 481, 483, 484, 485, 488, 494, 500, 503, 505, and 604. These response codes may change with future software revisions.

The current value of the rejected calls counter is accessible via SNMP, Historical Data Recording (HDR), or the ACLI. This MIB table is apSysMgmtGeneralObjects Table (1.3.6.1.4.1.9148.3.2.1.1).

Object Name	Object OID	Description
apSysSipTotalCallsRejected	1.3.6.1.4.1.9148.3.2.1.1.25	Global counter for SIP calls that are rejected by the SBC

The sip-error HDR collection group contains a new reporting field, Call Rejects, which contains the value of the global rejected calls counter.

The ACLI command show sipd errors displays the contents of the rejected calls counter.

ORACLE# show sipd errors
12:29:13-131
SIP Errors/Events             ---- Lifetime ----
                       Recent      Total  PerMax
SDP Offer Errors            0          0       0
SDP Answer Errors           0          0       0
Drop Media Errors           0          0       0
Transaction Errors          0          0       0
Application Errors          0          0       0
Media Exp Events            0          0       0
Early Media Exps            0          0       0
Exp Media Drops             0          0       0
Expired Sessions            0          0       0
Multiple OK Drops           0          0       0
Multiple OK Terms           0          0       0
Media Failure Drops         0          0       0
Non-ACK 2xx Drops           0          0       0
Invalid Requests            0          5       2
Invalid Responses           0          0       0
Invalid Messages            0          0       0
CAC Session Drop            0          0       0
Nsep User Exceeded          0          0       0
Nsep SA   Exceeded          0          0       0
CAC BW Drop                 0          0       0
Calls Rejected              0          0       0 <--

Syslog Reporting of Rejected Calls

Users can choose to send a syslog message in response to the rejection of a SIP call. In the default state, rejected calls are not reported to syslog.

Use the following ACLI command sequence to enable syslog reporting of rejected SIP calls.

ORACLE# configure terminal 
ORACLE(configure)# media-manager 
ORACLE(media-manager)# media-manager 
ORACLE(media-manager-config)# syslog-on-call-reject enable

The syslog-on-call-reject attribute, which is disabled by default, enables the generation of a syslog message in response to the rejection of a SIP call.

Use done, exit, and verify-config to complete this configuration.

Syslog messages issued in response to call rejection contain the following call-related information.

• SIP status code indicating rejection cause
• SIP method name (INVITE or REGISTER)
• Reason for denial
• Realm of calling endpoint
• Applicable local response map
• Content of Reason header (if present)
• From URI of calling endpoint
• Target URI of called endpoint
• Source and Destination IP address and port
• Transport type

The following are sample syslog messages issued in response to call rejections.

Dec 8 06:05:42 172.30.70.119 deimos sipd[205bfee4] ERROR [IDS_LOG]INVITE from source 172.16.18.100:5060 to dest 172.16.101.13:5060[UDP] realm=net172; From=sipp <sip:sipp@172.16.18.100:5060>;tag=13890SIPpTag001; target=sip:service@172.16.101.13:5060 rejected!; status=483 (Too Many Hops)

Dec 10 15:09:28 172.30.70.119 deimos sipd[2065ace8] ERROR [IDS_LOG]INVITE from source 172.16.18.5:5060 to dest 172.16.101.13:5060[UDP] realm=net172; From=sipp <sip:sipp@172.16.18.5:5060>;tag=10015SIPpTag001; target=sip:service@172.16.101.13:5060 rejected!; status=488 (sdp-address-mismatch); error=sdp address mismatch

IDS syslog messages that report rejected calls and those that report endpoint demotions now contain a string IDS_LOG, to facilitate their identification as IDS-related messages. With IDS Phase 2, IDS messages reporting either endpoint demotions or call rejections can be sent to specific, previously-configured syslog servers.

In topologies that include multiple syslog servers, use the following procedure to enable delivery of IDS-related messages to one or more specific syslog servers.

1. Use the following command sequence to move to syslog-config Configuration Mode.

   ORACLE# configure terminal 
   ORACLE(configure)# system 
   ORACLE(system)# system-config 
   ORACLE(system-config)# syslog-servers 
   ORACLE(syslog-config)# 

2. From the existing pool of syslog servers select the server or servers that will receive syslog messages.
3. Ensure that all selected servers are configured with the same value for the facility attribute.

   Allowable values are integers within the range 0 through 23.

4. Use the following command sequence to move to system-config Configuration Mode.

   ORACLE(syslog-config)# done 
   ORACLE(syslog-config)# exit 
   ORACLE(system-config)# 

5. Use the ids-syslog-facility attribute to enable message transfer to specific syslog servers.

   The default value, -1, disables selective message transfer. To enable transfer to a designated syslog server or servers, enter the facility value (an integer within the range 0 through 23) that you confirmed or set in Step 3.

   The following example enables the transfer of IDS syslog messages to all servers with a facility value of 16.

   ORACLE(system-config)# ids-syslog-facility 16 
   ORACLE(system-config)# 

6. Use done, exit, and verify-config to complete this configuration.

TCA Reporting of Denied Entries

You can construct a Threshold Crossing Alarm (TCA), which issues minor, major, and critical system alarms when the count of denied entries exceeds pre-configured values. For each issued alarm, the TCA also transmits an SNMP trap that reports the alarm state to remote SNMP agents.

After issuing a system alarm and accompanying SNMP trap, the TCA continues to monitor the number of denied entries. If the number of denied entries rises to the next threshold value, a new, and more severe, system alarm/SNMP trap is generated. If the number of denied entries falls below the current threshold level, and remains there for a period of at least 10 seconds, a new, and less severe system alarm/SNMP trap is generated.

1. Use the following command sequence to move to media-manager-config Configuration Mode.

   ORACLE# configure terminal 
   ORACLE(configure)# system 
   ORACLE(system)# system-config 
   ORACLE(system-config)# alarm-threshold 
   ORACLE(alarm-threshold)# 

2. Use the type attribute to specify the TCS type (deny-allocation for denied entries TCAs), the severity attribute to specify the criticality of the alarm, and the value attribute to specify the alarm threshold.

   The following ACLI sequence defines the minor, major, and critical alarm thresholds. Not that you do not need to configure all three thresholds. Given the static deny allocation value of 32000, you can determine what the percentage value maps to.

   ORACLE(alarm-threshold)# type deny-allocation 
   ORACLE(alarm-threshold)# severity minor 
   ORACLE(alarm-threshold)# value 80 
   ORACLE(alarm-threshold)# done 
   ORACLE(alarm-threshold)# type deny-allocation 
   ORACLE(alarm-threshold)# severity major 
   ORACLE(alarm-threshold)# value 90 
   ORACLE(alarm-threshold)# done 
   ORACLE(alarm-threshold)# type deny-allocation 
   ORACLE(alarm-threshold)# severity critical 
   ORACLE(alarm-threshold)# value 95 
   ORACLE(alarm-threshold)# done 

3. Use exit and verify-config to complete the configuration.

Syslog Reporting of Denied Entries

Syslog reporting of endpoint demotions was introduced as part of IDS Phase 1 in S-C6.2.0. With IDS Phase 2, such syslog messages contain the last SIP message from the endpoint that caused the transition to the denied state. If the included SIP message increases the length of the syslog beyond 1024 bytes, the SIP message is truncated so that the syslog is no larger than 1024 bytes.

CPU Load Limiting

The transmission of IDS-related system alarms and SNMP traps is disabled when the CPU utilization rate surpasses a configured threshold percentage, reducing system resource utilization. When the threshold is exceeded, a syslog message (MINOR level) announces the termination of IDS reporting. No additional syslog messages or SNMP traps are generated until the CPU utilization rate falls below the configured threshold. The resumption of IDS reporting is announced by another syslog message, also issued at the MINOR level.

The system manages percent CPU utilization as follows:

• Begins rejecting SIP requests when the CPU reaches its throttling threshold, and
• Rejects all SIP requests, as well as stops sending IDS-related system alarms and SNMP traps, when the CPU reaches its maximum.

See the SMP-Aware Task Load Limiting section in the Oracle® Communications Session Border Controller Maintenance and Troubleshooting Guide for information on how this works and how the user can configure the CPU throttling threshold and maximum CPU utilization.

Denied Endpoints

IDS Phase 2 provides a denied endpoint counter that includes SIP endpoints. The global counter value is available via SNMP or HDR.

The global counter value is available to SNMP under APSYSMGMT-MIB, acmepacketMgmt, apSystemManagementModule, apSysMgmtMIBObjects, apSysMgmtMIBGeneralObjects. This MIB is apSysMgmtGeneralObjects Table (1.3.6.1.4.1.9148.3.2.1.1).

Object Name	Object OID	Description
apSysCurrentEndptsDenied	1.3.6.1.4.1.9148.3.2.1.1.26	Global counter for current endpoints denied

The system HDR collection group contains a new reporting field, Current Deny Entries Allocated, which contains the value of the global endpoints denied counter.