1. Security Guide
  2. DDoS Prevention for Access Environments
  3. DDoS Access - Configuration Parameters

DDoS Access - Configuration Parameters

The following sections will discuss those DDoS parameter pertinent to the scope of this appendix. The parameters used to satisfy the requirements and scope of this appendix cannot be considered to be exhaustive. The parameters used are those which will be modified for this basic configuration. These parameters are in three configuration areas: Media Manager, Realm Configuration, and SIP Interface. The maximum signaling bandwidth per platform should be set to keep the CPU usage below 90%.

Media Manager

The following media-manager parameters have been calculated for each configuration model.

  • max-untrusted-signaling - Maximum percentage of the allocated max-signaling-bandwidth for untrusted traffic (%)
  • min-untrusted-signaling - Minimum percentage of the allocated max-signaling-bandwidth for untrusted traffic (%)
  • max-signaling-bandwidth - The maximum bandwidth that the SBC can withstand (bytes/sec)

These parameters are set to values that do not allow a SIP Register flood attack to increase the total CPU utilization percentage to over 89%. The background trusted traffic must not be adversely affected.

The recommended values for these media-manager parameters for each test scenario are listed by system model.

The following are Media Manager parameters that have platform specific defaults (not configurable, "show acl info" for details for each platform).
  • min-media-allocation
  • min-trusted-allocation
  • Deny-allocation

For this appendix, these defaults will be used and are indicated in the platform results later by system model.

Realm Configuration

The following realm-config parameters are used in the basic DDoS configuration.

Parameter Access Realm Core Realm
access-control-trust-level low High
invalid-signal-threshold 1 0
average-rate-limit 0 0
maximum-signal-threshold 4000 0
untrusted-signal-threshold 1 0

The maximum-signal-threshold of 4000 is very high so as not to impact service. It should be reduced to a number close to the maximum number of signaling messages from one client within the tolerance-window on the realm, which by default is 30 seconds. Base the threshold on an actual trace to account for the extraneous messages that are normally not considered, and make sure to account for network loss and/or renegotiations.

DDoS-2 show commands

DDoS-2 is supported for platforms: Acme Packet 4600, Acme Packet 6100, Acme Packet 6300, and Acme Packet 6350. DDoS-2 increases the number of trusted endpoints to a maximum of 500K for Acme Packet 4600/6100/6300 and 750K for Acme Packet 6350. It also increases the number of denied endpoints to a maximum 96K for Acme Packet 6350 and 64K for Acme Packet 4600/6100/6300

The command show acl info provides information about present usage of the HASH table. 
ORACLE#show acl info

Access Control List Statistics:

                |   # of entries  |   % utilization   |   Reserved Entry Count
-----------------------------------------------------------------------
Denied          |          0                0.0%                 32000
Trusted         |          3                0.0%                  8000
Media           |          2                0.0%                 64000
Untrusted       |          1                0.1%                  2000
Dynamic Trusted |       4800                1.9%                250000
INTFC           |          2                 -                  -
-----------------------------------------------------------------------
Total CAM space used = 8 of 126976 (99.99% free)
Total HASH-table space used = 4800 of 250000 (98.08% free)
---------------------------------------------------------------------
The command show acl all presents endpoints allocation per TM-flow. In the example below we can see 5 endpoints per TM-flow: 
ORACLE#trusted entries:
intf:vlan src-IP       dest-IP/mask  port prot type    index  recv   drop
0/0:0     0.0.0.0      177.1.1.100        ICMP static  65537  0      0
1/0:0     0.0.0.0      188.1.1.200        ICMP static  65539  0      0
1/0:0     0.0.0.0      188.1.1.200   5060 UDP  static  65541  333676 0
dynamic trusted entries sharing IFD 0x1e600:
0/0:0     14.0.2.130   177.1.1.100   5060 UDP  dynamic 132096 2      0
0/0:0     14.0.10.130  177.1.1.100   5060 UDP  dynamic 133120 
0/0:0     14.0.18.130  177.1.1.100   5060 UDP  dynamic 134144
0/0:0     14.0.26.130  177.1.1.100   5060 UDP  dynamic 135168
0/0:0     14.0.34.130  177.1.1.100   5060 UDP  dynamic 136192
dynamic trusted entries sharing IFD 0x1e601:
0/0:0     14.0.2.132   177.1.1.100   5060 UDP  dynamic 132097 2       0
0/0:0     14.0.10.132  177.1.1.100   5060 UDP  dynamic 133121
0/0:0     14.0.18.132  177.1.1.100   5060 UDP  dynamic 134145
0/0:0     14.0.26.132  177.1.1.100   5060 UDP  dynamic 135169
0/0:0     14.0.34.132  177.1.1.100   5060 UDP  dynamic 136193
dynamic trusted entries sharing IFD 0x1e602:
0/0:0     14.0.2.134   177.1.1.100   5060 UDP  dynamic 132098 2       0
0/0:0     14.0.10.134  177.1.1.100   5060 UDP  dynamic 133122
0/0:0     14.0.18.134  177.1.1.100   5060 UDP  dynamic 134146
0/0:0     14.0.26.134  177.1.1.100   5060 UDP  dynamic 135170
0/0:0     14.0.34.134  177.1.1.100   5060 UDP  dynamic 136194