Levels of DoS Protection

The multi-level OECB DoS protection consists of the following strategies:

• Fast path filtering/access control—Access control for signaling packets destined for the OECB host processor as well as media (RTP) packets. The OECB performs media filtering by using the existing dynamic pinhole firewall capabilities. Fast path filtering packets destined for the host processor require the configuration and management of a trusted, untrusted and a deny list for each OECB realm (although the actual devices can be dynamically trusted or denied by the OECB based on configuration). You do not have to provision every endpoint/device on the OECB, but instead retain the default values.
• Host path protection—Includes flow classification, host path policing and unique signaling flow policing. Fast path filtering alone cannot protect the OECB host processor from being overwhelmed by a malicious attack from a trusted source. The host path and individual signaling flows must be policed to ensure that a volume-based attack will not overwhelm the OECB’s normal call processing; and subsequently not overwhelm systems beyond it.

  The OECB must classify each source based on its ability to pass certain criteria that is signaling- and application-dependent—At first each source is considered untrusted with the possibility of being promoted to fully trusted. The OECB maintains two host paths, one for each class of traffic (trusted and untrusted), with different policing characteristics to ensure that fully trusted traffic always gets precedence.

• Host-based malicious source detection and isolation/dynamic deny list—Malicious sources can be automatically detected in real-time and denied in the fast path to block them from reaching the host processor.