1. Diameter Security Application User Guide with UDR
  2. Understanding DSA Functionality and Logic
  3. DSA Stateless Countermeasure Logic
  4. Specific AVP Screening (SpecAVPScr)

2.4.9 Specific AVP Screening (SpecAVPScr)

This countermeasure screens the ingress diameter request/answer message for checking invalid AVP value(s).

The option is available to configure the list of AVP values used by this countermeasure for performing screening.

This countermeasure considers the ingress diameter request/answer message as vulnerable if one of the AVP in the ingress request/answer message matches the configured AVP value, which is provisioned as an invalid value.

Note:

Appropriate ART configuration needs to be done for routing the egress request messages (only toward foreign networks) to DSA so the ingress answer message from the foreign peers can be screened for vulnerability by this countermeasure. For more information, refer to ART Configuration for DSA.

Apart from the mandatory configuration in DSA Mandatory Configuration, configure SpecAVPScr_Config Table for configuring values for AVP(s) used by this countermeasure for screening. AVP value, applicable Application-ID, Command-Code, and the Message Type (Request/Answer) combination are defined.