DDoS Access - Configuration Parameters
The following sections will discuss those DDoS parameter pertinent to the scope of this appendix. The parameters used to satisfy the requirements and scope of this appendix cannot be considered to be exhaustive. The parameters used are those which will be modified for this basic configuration. These parameters are in three configuration areas: Media Manager, Realm Configuration, and SIP Interface. The maximum signaling bandwidth per platform should be set to keep the CPU usage below 90%.
Media Manager
The following media-manager parameters have been calculated for each configuration model.
- max-untrusted-signaling - Maximum percentage of the allocated max-signaling-bandwidth for untrusted traffic (%)
- min-untrusted-signaling - Minimum percentage of the allocated max-signaling-bandwidth for untrusted traffic (%)
- max-signaling-bandwidth - The maximum bandwidth that the SBC can withstand (bytes/sec)
These parameters are set to values that do not allow a SIP Register flood attack to increase the total CPU utilization percentage to over 89%. The background trusted traffic must not be adversely affected.
The recommended values for these media-manager parameters for each test scenario are listed by system model.
- min-media-allocation
- min-trusted-allocation
- Deny-allocation
For this appendix, these defaults will be used and are indicated in the platform results later by system model.
Realm Configuration
The following realm-config parameters are used in the basic DDoS configuration.
Parameter | Access Realm | Core Realm |
---|---|---|
access-control-trust-level | low | High |
invalid-signal-threshold | 1 | 0 |
average-rate-limit | 0 | 0 |
maximum-signal-threshold | 4000 | 0 |
untrusted-signal-threshold | 1 | 0 |
The maximum-signal-threshold of 4000 is very high so as not to impact service. It should be reduced to a number close to the maximum number of signaling messages from one client within the tolerance-window on the realm, which by default is 30 seconds. Base the threshold on an actual trace to account for the extraneous messages that are normally not considered, and make sure to account for network loss and/or renegotiations.
DDoS-2 show commands
DDoS-2 is supported for platforms: Acme Packet 4600, Acme Packet 6100, Acme Packet 6300, and Acme Packet 6350. DDoS-2 increases the number of trusted endpoints to a maximum of 500K for Acme Packet 4600/6100/6300 and 750K for Acme Packet 6350. It also increases the number of denied endpoints to a maximum 96K for Acme Packet 6350 and 64K for Acme Packet 4600/6100/6300
ORACLE#show acl info
Access Control List Statistics:
| # of entries | % utilization | Reserved Entry Count
-----------------------------------------------------------------------
Denied | 0 0.0% 32000
Trusted | 3 0.0% 8000
Media | 2 0.0% 64000
Untrusted | 1 0.1% 2000
Dynamic Trusted | 4800 1.9% 250000
INTFC | 2 - -
-----------------------------------------------------------------------
Total CAM space used = 8 of 126976 (99.99% free)
Total HASH-table space used = 4800 of 250000 (98.08% free)
---------------------------------------------------------------------
ORACLE#trusted entries:
intf:vlan src-IP dest-IP/mask port prot type index recv drop
0/0:0 0.0.0.0 177.1.1.100 ICMP static 65537 0 0
1/0:0 0.0.0.0 188.1.1.200 ICMP static 65539 0 0
1/0:0 0.0.0.0 188.1.1.200 5060 UDP static 65541 333676 0
dynamic trusted entries sharing IFD 0x1e600:
0/0:0 14.0.2.130 177.1.1.100 5060 UDP dynamic 132096 2 0
0/0:0 14.0.10.130 177.1.1.100 5060 UDP dynamic 133120
0/0:0 14.0.18.130 177.1.1.100 5060 UDP dynamic 134144
0/0:0 14.0.26.130 177.1.1.100 5060 UDP dynamic 135168
0/0:0 14.0.34.130 177.1.1.100 5060 UDP dynamic 136192
dynamic trusted entries sharing IFD 0x1e601:
0/0:0 14.0.2.132 177.1.1.100 5060 UDP dynamic 132097 2 0
0/0:0 14.0.10.132 177.1.1.100 5060 UDP dynamic 133121
0/0:0 14.0.18.132 177.1.1.100 5060 UDP dynamic 134145
0/0:0 14.0.26.132 177.1.1.100 5060 UDP dynamic 135169
0/0:0 14.0.34.132 177.1.1.100 5060 UDP dynamic 136193
dynamic trusted entries sharing IFD 0x1e602:
0/0:0 14.0.2.134 177.1.1.100 5060 UDP dynamic 132098 2 0
0/0:0 14.0.10.134 177.1.1.100 5060 UDP dynamic 133122
0/0:0 14.0.18.134 177.1.1.100 5060 UDP dynamic 134146
0/0:0 14.0.26.134 177.1.1.100 5060 UDP dynamic 135170
0/0:0 14.0.34.134 177.1.1.100 5060 UDP dynamic 136194