C DDoS Prevention for Peering Environments
This section presents recommended settings and guidelines for DDoS prevention in a peering environment.
- PBRB - Policy Based Realm Bridging Model
- SNB - SIP NAT Bridge Model
- SSNHTN - Single SIP NAT Hosted in Trusted Network Model
Supported Platforms
| Platform | Flow Table Size | Memory |
|---|---|---|
| AP6350 | 2000000 | 48G |
| AP6300 | 1000000 | 16G |
| AP4600 | 1000000 | 16G |
| AP6100 | 1000000 | 16G |
Observations/Limitations
The settings outlined in this appendix are beneficial when facing malicious attacks from any unknown sources; this is a typical concern when deploying peering traffic on the public Internet. Setting access-control-trust-level to "high" in both peer realm and an ACL (access-control) will yield an implicit deny scenario where traffic from unknown source IP addresses will be silently discarded at the hardware level in order to protect both the SBC's host CPU and core devices from being attacked. The design of this configuration is not to prevent cases where malicious attacks are generated behind the trusted source IP within peer's network, since all traffic from peer is consider as "trusted". Therefore, the SBC will forward all traffic from trusted sources to the core network as allowed by the system's hardware or software capabilities. There is no demotion event when access-control-trust-level at realm is set "high" as packets from trusted peer endpoint are always allocated the trusted queue for processing.
An alternative DDoS prevention practice in peering is to set access-control-trust-level to "medium", but this type of configuration requires settings of "max-untrusted-signaling, min-untrusted-signaling, and maximum-signal-threshold which vary greatly from one customer to the next. Please contact your Sales Representative for more information on Professional Services available from Oracle to design comprehensive security solutions.
As the media-manager is a global configuration element, it assumes that the SBC has not been configured in hybrid mode, in which the SBC is configured to support both Access and Peering traffic. Further, it assumes the peer realm MUST have a sip-interface associated in order for the DDoS prevention configuration to be effective. Alternatively, in a Nested/Pseudo realm configuration, DDoS prevention configuration associated with the parent realm (which has a sip-interface associated) will apply.