Dynamic ACL for the HTTP-ALG
The dynamic Access Control List (ACL) option for HTTP-Application Layer Gateway (ALG) provides Distributed Denial of Service (DDoS) attack protection for the HTTP port.
When you enable the dynamic ACL option, the system sets the trust level for static flow for the public listening socket defined in HTTP ALG, Public to Untrusted. Each listening socket creates and manages its ACL list, which allows the listening socket to keep track of the number of received and invalid messages, the number of connections per endpoint, and so on. You can configure a different setting for each HTTP ALG object.
Dynamic ACL for each endpoint is triggered by Session Initialization Protocol (SIP) registration messages. Upon receiving a SIP registration message, the SIP agent creates a dynamic ACL entry for the endpoint. If the 200 OK response is received, the ACL is promoted, allowing the HTTP message to go through the security domain. If SIP registration is unsuccessful, the ACL entry is removed and HTTP ingress messages are blocked from the endpoint. The ACL entry is removed upon incomplete registration renewal or telephone disconnect.
The following example describes the criteria and associated configuration item that result in a denied or allowed connection for both low and medium control levels.
| Criteria | Associated Configuration Item | Action |
|---|---|---|
| Exceed total number of connections for allowed | HTTP ALG, max-incoming-conns | Connection denied |
| Exceed total connections per peer | HTTP ALG, per-src-ip-mas-incoming-conns | Connection denied |
| ACL not promoted | Dynamically set on SIP registration | Connection denied |
| Exceed maximum number of packets/sec | Realm Config, maximum-signal-threshold | Connection denied and peer is promoted |
| Exceed maximum number of error packets | Realm Config, invalid-signal-threshold | Connection denied and peer is promoted |
Oracle recommends setting Realm Config, Access Control Level to Medium.
If a peer is promoted to Trusted, the system performs DDoS checks on max number of packets/sec and Max Number of Error Packets allowed.
Demotions depend on the Ream Config, Access Control Trust Level setting for the realm. For more information on Realm Config settings, see the ACLI Configuration Guide.
If you want to configure different ACL settings for SIP traffic and for HTTP-ALG traffic, you must configure a realm for each type of traffic.