2.4.10 AVP Multiple Instance Check (AVPInstChk)

This countermeasure screens the ingress diameter request/answer message for checking minimum and maximum allowable instance of AVP(s).

The option is available to configure the list of AVPs along with the allowable minimum and maximum instance values used by this countermeasure for performing screening.

This countermeasure considers the ingress diameter request/answer message as vulnerable if any of these conditions are true:

• One of the AVP in the ingress request/answer message is having lesser number of instances than the configured minimum allowed number of instances.
• One of the AVP in the ingress request/answer message is having higher number of instances than the configured maximum allowed number of instances.

Note:

Appropriate ART configuration needs to be done for routing the egress request messages (only towards foreign networks) to DSA so that ingress answer message from the foreign peers can be screened for vulnerability by this countermeasure. For more information, refer to ART Configuration for DSA.

Apart from the mandatory configuration in DSA Mandatory Configuration, configure AVPInstChk_Config Table for configuring minimum and maximum allowable instance of AVPs used by this countermeasure for screening. AVP minimum and maximum instances, the applicable Application-ID, Command-Code, and the Message Type (Request/Answer) combination are defined.