IDS Phase 2 (Advanced Reporting)
This feature supplements the IDS reporting and protection services. IDS Phase 2 provides enterprise users with additional tools to identify, monitor, and control suspicious, and possibly, malicious traffic patterns. IDS Phase 2 requires the IDS Advanced Reporting license.
Rejected SIP Calls
IDS Phase 2 provides tools to monitor and record rejected SIP calls. A sudden or gradual increase in such calls can, but need not, indicate malicious intent.
IDS Phase 2 provides a global counter that increments with each SIP INVITE or REGISTER message that is rejected by the Acme Packet Oracle® Enterprise Session Border Controller, and offers the option of generating a syslog message in response to call rejection.
Rejected Calls Counter
The rejected calls counter is a 32-bit global counter that records the total number of rejected SIP calls. Such calls have been rejected by the Oracle® Enterprise Session Border Controller with the following response codes: 400, 403, 404, 405, 408, 413, 416, 417, 420, 423, 480, 481, 483, 484, 485, 488, 494, 500, 503, 505, and 604. These response codes may change with future software revisions.
The current value of the rejected calls counter is accessible via SNMP, Historical Data Recording (HDR), or the ACLI. This MIB table is apSysMgmtGeneralObjects Table (1.3.6.1.4.1.9148.3.2.1.1).
Object Name | Object OID | Description |
---|---|---|
apSysSipTotalCallsRejected | 1.3.6.1.4.1.9148.3.2.1.1.25 | Global counter for SIP calls that are rejected by the SBC |
The sip-error HDR collection group contains a new reporting field, Call Rejects, which contains the value of the global rejected calls counter.
The ACLI command show sipd errors displays the contents of the rejected calls counter.
ORACLE# show sipd errors
12:29:13-131
SIP Errors/Events ---- Lifetime ----
Recent Total PerMax
SDP Offer Errors 0 0 0
SDP Answer Errors 0 0 0
Drop Media Errors 0 0 0
Transaction Errors 0 0 0
Application Errors 0 0 0
Media Exp Events 0 0 0
Early Media Exps 0 0 0
Exp Media Drops 0 0 0
Expired Sessions 0 0 0
Multiple OK Drops 0 0 0
Multiple OK Terms 0 0 0
Media Failure Drops 0 0 0
Non-ACK 2xx Drops 0 0 0
Invalid Requests 0 5 2
Invalid Responses 0 0 0
Invalid Messages 0 0 0
CAC Session Drop 0 0 0
Nsep User Exceeded 0 0 0
Nsep SA Exceeded 0 0 0
CAC BW Drop 0 0 0
Calls Rejected 0 0 0 <--
Syslog Reporting of Rejected Calls
Users can choose to send a syslog message in response to the rejection of a SIP call. In the default state, rejected calls are not reported to syslog.
Use the following ACLI command sequence to enable syslog reporting of rejected SIP calls.
ORACLE# configure terminal
ORACLE(configure)# media-manager
ORACLE(media-manager)# media-manager
ORACLE(media-manager-config)# syslog-on-call-reject enable
The syslog-on-call-reject attribute, which is disabled by default, enables the generation of a syslog message in response to the rejection of a SIP call.
Use done, exit, and verify-config to complete this configuration.
Syslog messages issued in response to call rejection contain the following call-related information.
- SIP status code indicating rejection cause
- SIP method name (INVITE or REGISTER)
- Reason for denial
- Realm of calling endpoint
- Applicable local response map
- Content of Reason header (if present)
- From URI of calling endpoint
- Target URI of called endpoint
- Source and Destination IP address and port
- Transport type
The following are sample syslog messages issued in response to call rejections.
Dec 8 06:05:42 172.30.70.119 deimos sipd[205bfee4] ERROR [IDS_LOG]INVITE from source 172.16.18.100:5060 to dest 172.16.101.13:5060[UDP] realm=net172; From=sipp <sip:sipp@172.16.18.100:5060>;tag=13890SIPpTag001; target=sip:service@172.16.101.13:5060 rejected!; status=483 (Too Many Hops)
Dec 10 15:09:28 172.30.70.119 deimos sipd[2065ace8] ERROR [IDS_LOG]INVITE from source 172.16.18.5:5060 to dest 172.16.101.13:5060[UDP] realm=net172; From=sipp <sip:sipp@172.16.18.5:5060>;tag=10015SIPpTag001; target=sip:service@172.16.101.13:5060 rejected!; status=488 (sdp-address-mismatch); error=sdp address mismatch
IDS syslog messages that report rejected calls and those that report endpoint demotions now contain a string IDS_LOG, to facilitate their identification as IDS-related messages. With IDS Phase 2, IDS messages reporting either endpoint demotions or call rejections can be sent to specific, previously-configured syslog servers.
In topologies that include multiple syslog servers, use the following procedure to enable delivery of IDS-related messages to one or more specific syslog servers.
TCA Reporting of Denied Entries
You can construct a Threshold Crossing Alarm (TCA), which issues minor, major, and critical system alarms when the count of denied entries exceeds pre-configured values. For each issued alarm, the TCA also transmits an SNMP trap that reports the alarm state to remote SNMP agents.
After issuing a system alarm and accompanying SNMP trap, the TCA continues to monitor the number of denied entries. If the number of denied entries rises to the next threshold value, a new, and more severe, system alarm/SNMP trap is generated. If the number of denied entries falls below the current threshold level, and remains there for a period of at least 10 seconds, a new, and less severe system alarm/SNMP trap is generated.
Syslog Reporting of Denied Entries
Syslog reporting of endpoint demotions was introduced as part of IDS Phase 1 in S-C6.2.0. With IDS Phase 2, such syslog messages contain the last SIP message from the endpoint that caused the transition to the denied state. If the included SIP message increases the length of the syslog beyond 1024 bytes, the SIP message is truncated so that the syslog is no larger than 1024 bytes.
CPU Load Limiting
The transmission of IDS-related system alarms and SNMP traps is disabled when the CPU utilization rate surpasses a configured threshold percentage, reducing system resource utilization. When the threshold is exceeded, a syslog message (MINOR level) announces the termination of IDS reporting. No additional syslog messages or SNMP traps are generated until the CPU utilization rate falls below the configured threshold. The resumption of IDS reporting is announced by another syslog message, also issued at the MINOR level.
The system manages percent CPU utilization as follows:
- Begins rejecting SIP requests when the CPU reaches its throttling threshold, and
- Rejects all SIP requests, as well as stops sending IDS-related system alarms and SNMP traps, when the CPU reaches its maximum.
See the SMP-Aware Task Load Limiting section in the Oracle® Communications Session Border Controller Maintenance and Troubleshooting Guide for information on how this works and how the user can configure the CPU throttling threshold and maximum CPU utilization.
Denied Endpoints
IDS Phase 2 provides a denied endpoint counter that includes SIP endpoints. The global counter value is available via SNMP or HDR.
The global counter value is available to SNMP under APSYSMGMT-MIB, acmepacketMgmt, apSystemManagementModule, apSysMgmtMIBObjects, apSysMgmtMIBGeneralObjects. This MIB is apSysMgmtGeneralObjects Table (1.3.6.1.4.1.9148.3.2.1.1).
Object Name | Object OID | Description |
---|---|---|
apSysCurrentEndptsDenied | 1.3.6.1.4.1.9148.3.2.1.1.26 | Global counter for current endpoints denied |
The system HDR collection group contains a new reporting field, Current Deny Entries Allocated, which contains the value of the global endpoints denied counter.