Configuring DoS Security

This section explains how to configure the Oracle Communications Session Border Controller for DoS protection.

Configuration Overview

Configuring Oracle Communications Session Border Controller DoS protection includes masking source IP and port parameters to include more than one match and configuring guaranteed minimum bandwidth for trusted and untrusted signaling path. You can also configure signaling path policing parameters for individual source addresses. Policing parameters are defined as peak data rate (in bytes/sec), average data rate (in bytes/sec), and maximum burst size.

You can configure deny list rules based on the following:

  • ingress realm
  • source IP address
  • source port
  • transport protocol (TCP/UDP)
  • application protocol (SIP or H.323)

Exercise caution when configuring ACLs, noting that the syntax of your entry is correct. The SBC sets ACL fields with incorrect syntax to their defaults.

For example, the default source IP address for an ACL is 0.0.0.0. If using dynamic ACLs, this default address can overwrite the applicable realm's default ACL. If this ACL also has the default trust level of none, it would prevent the SBC from promoting any traffic on that realm to trusted.

Confirm the syntax of your configured ACLs before you save and activate them.

Changing the Default Oracle Communications Session Border Controller Behavior

The Oracle Communications Session Border Controller automatically creates permit untrusted ACLs that let all sources (address prefix of 0.0.0.0/0) reach each configured realm’s signaling interfaces, regardless of the realm’s address prefix. To deny sources or classify them as trusted, you create static or dynamic ACLs, and the global permit untrusted ACL to specifically deny sources or classify them as trusted. Doing this creates a default permit-all policy with specific deny and permit ACLs based on the realm address prefix.

You can change that behavior by configuring static ACLs for realms with the same source prefix as the realm’s address prefix; and with the trust level set to the same value as the realm. Doing this prevents the permit untrusted ACLs from being installed. You then have a default deny all ACL policy with specific static permit ACLs to allow packets into the system.

Example 1 Limiting Access to a Specific Address Prefix Range

The following example shows how to install a permit untrusted ACL of source 12.34.0.0/16 for each signalling interface/port of a realm called access. Only packets from within the source address prefix range 12.34.0.0/16, destined for the signaling interfaces/port of the realm named access, are allowed. The packets go into untrusted queues until they are dynamically demoted or promoted based on their behavior. All other packets are denied/dropped.

  • Configure a realm called access and set the trust level to low and the address prefix to 12.34.0.0/16.
  • Configure a static ACL with a source prefix of 12.34.0.0/16 with the trust level set to low for the realm named access.

Example 2 Classifying the Packets as Trusted

Building on Example 1, this example shows how to classify all packets from 12.34.0.0/16 to the realm signaling interfaces as trusted and place them in a trusted queue. All other packets from outside the prefix range destined to the realm’s signaling interfaces are allowed and classified as untrusted; then promoted or demoted based on behavior.

You do this by adding a global permit untrusted ACL (source 0.0.0.0) for each signaling interface/port of the access realm. You configure a static ACL with a source prefix 12.34.0.0/16 and set the trust level to high.

Adding this ACL causes the Oracle Communications Session Border Controller to also add a permit trusted ACL with a source prefix of 12.34.0.0/16 for each signaling interface/port of the access realm. This ACL is added because the trust level of the ACL you just added is high and the realm’s trust level is set to low. The trust levels must match to remove the global permit trusted ACL.

Example 3 Installing Only Static ACLs

This example shows you how to prevent the Oracle Communications Session Border Controller from installing the global permit (0.0.0.0) untrusted ACL.

  • Configure a realm with a trust level of none.
  • Configure static ACLs for that realm with the same source address prefix as the realm’s address prefix, and set the trust level to any value.

The system installs only the static ACLs you configure.

Access Control List Configuration

To configure access control lists:

  1. Access the access-control configuration element.
    ACMEPACKET# configure terminal
    ACMEPACKET(configure)# session-router
    ACMEPACKET(session-router)# access-control
    ACMEPACKET(access-control)#
  2. Type select to choose and configure an existing object.
    ACMEPACKET(access-control)# select
    <src-ip>:
    1: src 0.0.0.0; 0.0.0.0; realm01; ; ALL
  3. realm-id—Enter the ID of the host’s ingress realm.
  4. source-address—Enter the source IPv4 address and port number for the host in the following format:
    <IP address>[/number of address bits>][:<port>][/<port bits>]

    For example:

    10.0.0.1/24:5000/14
    10.0.0.1/16
    10.0.0.1/24:5000
    10.0.0.1:5000

    You do not need to specify the number of address bits if you want all 32 bits of the address to be matched. You also do not need to specify the port bits if you want the exact port number matched. If you do not set the port mask value or if you set it to 0, the exact port number will be used for matching. The default value is 0.0.0.0.

  5. destination-address—(Is ignored if you configure an application protocol in step 7.) Enter the destination IPv4 address and port for the destination in the following format:
    <IP address>[/number of address bits>][:<port>[/<port bits>]]

    You do not need to specify the number of address bits if you want all 32 bits of the address to be matched. You also do not need to specify the port bits if you want the exact port number matched. If you do not set the port mask value or if you set it to 0, the exact port number will be used for matching. The default value is 0.0.0.0.

  6. application-protocol—Enter the application protocol type for this ACL entry. The valid values are:
    • SIP | H.323 | None

      Note:

      If application-protocol is set to none, the destination-address and port will be used. Ensure that your destination-address is set to a non-default value (0.0.0.0.)
  7. transport-protocol—Select the transport-layer protocol configured for this ACL entry. The default value is ALL. The valid values are:
    • ALL | TCP | UDP

  8. access—Enter the access control type or trusted list based on the trust-level parameter configuration for this host. The default value is permit. The valid values are:
    • permit—Puts the entry into the untrusted list. The entry is promoted or demoted according to the trust level set for this host.

    • deny—Puts the entry in the deny list.

  9. average-rate-limit—Indicate the sustained rate in bytes per second for host path traffic from a trusted source within the realm. The default value is 0. A value of 0 means policing is disabled. The valid range is:
    • Minimum—0

    • Maximum—999999999

  10. trust-level—Indicate the trust level for the host with the realm. The default value is none. The valid values are:
    • none—Host is always untrusted. It is never promoted to the trusted list or demoted to the deny list.

    • low—Host can be promoted to the trusted list or demoted to the deny list.

    • medium—Host can be promoted to the trusted list but is only demoted to untrusted. It is never added to the deny list.

    • high—Host is always trusted.

  11. invalid-signal-threshold— Enter the number of invalid signaling messages that trigger host demotion. The value you enter here is only valid when the trust level is low or medium. Available values are:
    • Minimum—Zero (0) is disabled.

    • Maximum—999999999

      If the number of invalid messages exceeds this value based on the tolerance window parameter, configured in the media manager, the host is demoted.

      The tolerance window default is 30 seconds. Bear in mind, however, that the system uses the same calculation it uses for specifying "recent" statistics in show commands to determine when the number of signaling messages exceeds this threshold. This calculation specifies a consistent start time for each time period to compensate for the fact that the event time, such as a user running a show command, almost never falls on a time-period's border. This provides more consistent periods of time for measuring event counts.

      The result is that this invalid signal count increments for two tolerance windows, 60 seconds by default, within which the system monitors whether or not to demote the host. The signal count for the current tolerance window is always added to the signal count of the previous tolerance window and compared against your setting.

  12. maximum-signal-threshold—Set the maximum number of signaling messages the host can send within the tolerance window. The value you enter here is only valid when the trust level is low or medium. The default value is 0, disabling this parameter. The valid range is:
    • Minimum—0

    • Maximum—999999999

      If the number of messages received exceeds this value within the tolerance window, the host is demoted.

  13. untrusted-signal-threshold—Set the maximum number of untrusted messages the host can send within the tolerance window. Use to configure different values for trusted and un-trusted endpoints for valid signaling message parameters. Also configurable per realm. The default value is 0, disabling this parameter. The valid range is:
    • Minimum—0

    • Maximum—999999999

  14. deny-period—Indicate the time period in seconds after which the entry for this host is removed from the deny list. The default value is 30. The valid range is:
    • Minimum—0

    • Maximum—999999999

  15. nat-trust-threshold—Enter the number of endpoints behind a NAT that must be denied for the Oracle Communications Session Border Controller to demote the NAT device itself to denied (dynamic demotion of NAT devices). The default is 0, meaning dynamic demotion of NAT devices is disabled. The range is from 0 to 65535.

    The following example shows access control configured for a host in the external realm.

    access-control
            realm-id                       external
            source-address                 192.168.200.215
            destination-address            192.168.10.2:5000
            application-protocol           SIP
            transport-protocol             ALL
            access                         permit
            average-rate-limit             3343
            trust-level                    low
            invalid-signal-threshold       5454
            maximum-signal-threshold       0
            untrusted-signal-threshold     0
            deny-period                    0

    The following example of how to configure a blocklist entry:

    access-control
            realm-id                       external
            source-address                 192.168.200.200
            destination-address            192.168.10.2:5000
            application-protocol           SIP
            transport-protocol             ALL
            access                         deny
            average-rate-limit             0
            trust-level                    none
            invalid-signal-threshold       0
            maximum-signal-threshold       0
            untrusted-signal-threshold     0
            deny-period                    0

Packet Loss Alarms for Access Control Lists

The Oracle Communications Session Border Controller reports packet loss on traffic associated with Access Control Lists (ACLs) using alarms. These alarms use the Oracle Communications Session Border Controller's system's alarm management and user display mechanisms. The user can configure three media-manager parameters to set thresholds for these alarms.

Packet drops occur when the system enforces its traffic management rules. These alarms require user configuration using media manager threshold parameters as a percentage of traffic for each type of ACL. When traffic volume exceeds these thresholds, the Oracle Communications Session Border Controller generates these alarms every 30 seconds until the traffic falls back below the threshold. The system synchronizes this configuration and current status with High Availability (HA) processes, maintaining these alarms across failover events.

The Oracle Communications Session Border Controller ACL traffic categories that have complementary alarms are Untrusted ACL and Trusted ACL.

The applicable media manager threshold parameters include:

  • untrusted-drop-threshold
  • trusted-drop-threshold

Applicable alarms include:

  • ACL_UNTRUSTED_DROP_OVER_THRESHOLD
  • ACL_TRUSTED_DROP_OVER_THRESHOLD

The syntax below shows how to set the untrusted drop threshold.

OC-SBC>enable
OC-SBC#configure terminal
OC-SBC(config)#media-manager
OC-SBC(media-manager)#media-manager-config
OC-SBC(media-manager-config)#select
OC-SBC(media-manager-config)#untrusted-drop-threshold 70
OC-SBC(media-manager-config)#done

Refer to the platform support table above. The range for all thresholds is 0 to 100, with defaults of 0. The default of 0 disables the threshold. All of these parameters are real-time configurable.

Packet Loss Trap for Access Control Lists

You can configure the Oracle Communications Session Border Controller (SBC) to generate an SNMP trap upon the expiration of a configurable time period during which the ACL packet drop ratio has exceeded a configured drop threshold. This trap reports the total number of dropped packets in that time period. The feature is disabled by default, and requires SNMP traps and DoS enabled.

To enable this feature, set either the untrusted-drop-threshold or the trusted-drop-threshold field in media-manager to a non-zero value between 1-100, then save and activate configuration changes. To disable, set both back to zero. Changes to these parameters do not require a reboot.

The feature also uses the media-manager's acl-monitor-window to specify the monitoring window. The default value is 30 seconds, and the range is 5 to 3600 seconds. To change the monitoring window, set the acl-monitor-window to the desired value in seconds. Changes to the acl-monitor-window requires a reboot.

This SNMP trap includes the following information:

  • The drop type (which is the same as the ACL type)
  • The number of dropped packets during the monitored time period.
  • The drop ratio during the monitored time period, reported as permillage (per thousand).

If the monitoring period expires and the percentage of dropped packets in that period is below the configured percentage value, the system does not send the trap, but does create a log entry in log.platform with the dropped packet value.

The following MIB objects are included in the ap-agentcapability.mib to support this feature.

apAclDropMibCapabilities 1.3.6.1.4.1.9148.2.1.31
apAclDropCap 1.3.6.1.4.1.9148.2.1.31.1
description "Acme Packet Agent Capability for ACL drop monitoring MIB"

The ap-apps.mib includes the following MIB objects to support this feature.

apAppsAclNotif 1.3.6.1.4.1.9148.3.16.2.2.4
apAppsAclNotifications 1.3.6.1.4.1.9148.3.16.2.2.4.0
apAclDropOverThresholdTrap 1.3.6.1.4.1.9148.3.16.2.2.4.0.1
description "The trap will be generated when acl drop ratio has exceeded the configured threshold"

apAclDropOverThresholdClearTrap 1.3.6.1.4.1.9148.3.16.2.2.4.0.2
description "The trap will be generated when acl drop ratio has gone below the configured threshold"

apAclNotificationGroups 1.3.6.1.4.1.9148.3.16.3.2.4
apAclDropNotificationsGroup 1.3.6.1.4.1.9148.3.16.3.2.4.1
description "Traps to monitor acl drops"

apAppsAclObjects 1.3.6.1.4.1.9148.3.16.4
apAclDropObjects 1.3.6.1.4.1.9148.3.16.4.1
apAclDropType 1.3.6.1.4.1.9148.3.16.4.1.1
description "ACL drop type"

apAclDropCount 1.3.6.1.4.1.9148.3.16.4.1.2
description "ACL drop count within monitor time window"

apAclDropRatio 1.3.6.1.4.1.9148.3.16.4.1.3
description "ACL drop ratio as permillage of current time window. Valid range 0-1000"

This feature is supported on HA configurations.

Host Access Policing

You can configure the Oracle Communications Session Border Controller to police the overall bandwidth of the host path.

To configure host access policing:

  1. Access the media-manager-config configuration element.
    ORACLE# configure terminal
    ORACLE(configure)# media-manager
    ORACLE(media-manager)# media-manager
    ORACLE(media-manager-config)# 
  2. Type select to begin editing.
    ORACLE(media-manager-config)# select
    
    ORACLE(media-manager-config)#
  3. max-signaling-bandwidth—Set the maximum bandwidth available for the host path in bytes per second, which includes signaling messages from trusted sources, untrusted sources, and any management traffic on media ports. This setting applies to the following platforms, only: Acme Packet 4600, Acme Packet 6100, Acme Packet 6300, and Acme Packet 6350. Default: 1000000. Range: 71000-10000000.
  4. max-signaling-packet—Set the maximum bandwidth available for the host path in packets per second, which includes signaling messages from trusted sources, untrusted sources, and any management traffic on media ports. This setting applies to the following platforms, only: Acme Packet 1100, Acme Packet 3900, Acme Packet 3950, Acme Packet 4900, and virtual. The default setting corresponds to the maximum value allowed by the platform, as follows:
    • Acme Packet 1100: 10000
    • Acme Packet 3900: 40000
    • Acme Packet 3950/4900: 110000
    • Virtual: System dependent.
  5. max-untrusted-signaling—Set the percentage of the maximum signaling bandwidth you want to make available for messages coming from untrusted sources. This bandwidth is available only when not being used by trusted sources. Default: 100. Range:1-100.
  6. min-untrusted-signaling—Set the percentage of the maximum signaling bandwidth you want reserved for untrusted sources. The rest of the bandwidth is available for trusted resources, but can also be used for untrusted sources per max-untrusted-signaling. Default: 30. Range: 1-100.
  7. fragment-msg-bandwidth—(Only available on the Acme Packet 3820 and Acme Packet 4500) Enter the amount of bandwidth to use for the fragment packet queue. When set to 0, the Oracle Communications Session Border Controlleruses the same queue for and sharing bandwidth between untrusted packets and fragment packets. Default: zero. Range: 0-10000000.
  8. tolerance-window—Set the size of the window used to measure host access limits for measuring the invalid message rate and maximum message rate for the realm configuration. Default: 30. Range: 0-999999999.
  9. Save and activate the configuration.

Configuring ARP Flood Protection

You do not need to configure the Oracle Communications Session Border Controller to enable the use of two separate ARP queues; that feature is enabled automatically.

If you want to configure the ARP queue policing rate, you can do so in the media manager configuration.

Note:

this feature is not RTC-supported, and you must reboot your Oracle Communications Session Border Controller in order for your configuration changes to take effect.

To set the ARP queue policing rate:

  1. In Superuser mode, type configure terminal and press Enter.
    ORACLE# configure terminal
  2. Type media-manager and press Enter.
    ORACLE(configure)# media-manager
    ORACLE(media-manager)#
  3. Enter media-manager and press <Enter:.
    ORACLE(media-manager)# media-manager
    ORACLE(media-manager-config)#
  4. arp-msg-bandwidth—Enter the rate at which you want the Oracle Communications Session Border Controller to police the ARP queue; the value you enter is the bandwidth limitation in bytes per second. The default value is 32000. The valid range is:
    • Minimum—2000

    • Maximum—200000

  5. Save your configuration.
  6. Reboot your Oracle Communications Session Border Controller.

Access Control for a Realm

Each host within a realm can be policed based on average rate, peak rate, and maximum burst size of signaling messages. These parameters take effect only when the host is trusted. You can also set the trust level for the host within the realm. All untrusted hosts share the bandwidth defined for the media manager: maximum untrusted bandwidth and minimum untrusted bandwidth.

To configure access control for a realm:

  1. In Superuser mode, type configure terminal and press Enter.
    ORACLE# configure terminal
  2. Type media-manager and press Enter to access the system-level configuration elements.
    ORACLE(configure)# media-manager
  3. Type realm-config and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters.
    ORACLE(media-manager)# realm-config
    ORACLE(realm-config)#
  4. addr-prefix—Set the IP address prefix used to determine if an IP address is associated with the realm. This value is then associated with the ACLs you create to determine packet access. The default value is 0.0.0.0.
  5. average-rate-limit—Set the sustained rate for host path traffic from a trusted source within the realm in bytes per second. The default value is zero (0), disabling this parameter. The valid range is:
    • Minimum—0

    • Maximum—4294967295

  6. access-control-trust-level—Set the trust level for the host within the realm. The default value is none. The valid values are:
    • none—Host is always untrusted. It is never promoted to the trusted list or demoted to the deny list.

    • low—Host can be promoted to the trusted list or demoted to the deny list.

    • medium—Host can be promoted to the trusted list but is only demoted to untrusted. It is never added to the deny list.

    • high—Host is always trusted.

  7. invalid-signal-threshold— Enter the number of invalid signaling messages that trigger host demotion. The value you enter here is only valid when the trust level is low or medium. Available values are:
    • Minimum—Zero (0) is disabled.

    • Maximum—999999999

      If the number of invalid messages exceeds this value based on the tolerance window parameter, configured in the media manager, the host is demoted.

      The tolerance window default is 30 seconds. Bear in mind, however, that the system uses the same calculation it uses for specifying "recent" statistics in show commands to determine when the number of signaling messages exceeds this threshold. This calculation specifies a consistent start time for each time period to compensate for the fact that the event time, such as a user running a show command, almost never falls on a time-period's border. This provides more consistent periods of time for measuring event counts.

      The result is that this invalid signal count increments for two tolerance windows, 60 seconds by default, within which the system monitors whether or not to demote the host. The signal count for the current tolerance window is always added to the signal count of the previous tolerance window and compared against your setting.

  8. maximum-signal-threshold—Set the maximum number of signaling messages one host can send within the window of tolerance. The host is demoted if the number of messages received by the Oracle Communications Session Border Controller exceeds the number set here. Valid only when the trust level is set to low or medium. The default value is zero (0), disabling this parameter. The valid range is:
    • Minimum—0

    • Maximum—4294967295

  9. untrusted-signal-threshold—Set the maximum number of untrusted messages the host can send within the tolerance window. Use to configure different values for trusted and un-trusted endpoints for valid signaling message parameters. Also configurable per realm. The default value is zero (0), disabling the parameter. The valid range is:
    • Minimum—0

    • Maximum—4294967295

  10. deny-period—Set the length of time an entry is posted on the deny list. The host is deleted from the deny lost after this time period. The default value is 30. A value of 0 disables the parameter. The valid range is:
    • Minimum—0

    • Maximum—4294967295

  11. nat-trust-threshold—Enter the number of endpoints behind a NAT that must be denied for the Oracle Communications Session Border Controller to demote the NAT device itself to denied (dynamic demotion of NAT devices). The default is 0, meaning dynamic demotion of NAT devices is disabled. The range is from 0 to 65535.

    The following example shows a host access policing configuration.

    realm-config
            identifier                     private
            addr-prefix                    192.168.200.0/24
            network-interfaces
                                           prviate:0
            mm-in-realm                    disabled
            mm-in-network                  enabled
            msm-release                    disabled
            qos-enable                     disabled
            max-bandwidth                  0
            ext-policy-svr
            max-latency                    0
            max-jitter                     0
            max-packet-loss                0
            observ-window-size             0
            parent-realm
            dns-realm
            media-policy
            in-translationid
            out-translationid
            class-profile
            average-rate-limit             8000
            access-control-trust-level     medium
            invalid-signal-threshold       200
            maximum-signal-threshold       0
            untrusted-signal-threshold     500
            deny-period                    30
            symmetric-latching             disabled
            pai-strip                      disabled
            trunk-context

Configuring Overload Protection for Session Agents

The Oracle Communications Session Border Controller offers two methods to control SIP registrations to smooth the registration flow.

You can limit the:

  • number of new register requests sent to a session agent (using the max-register-sustain-rate parameter)
  • burstiness which can be associated with SIP registrations

The first method guards against the Oracle Communications Session Border Controller’s becoming overwhelmed with register requests, while the second method guards against a transient registration that can require more than available registration resources.

SIP registration burst rate control allows you to configure two new parameters per SIP session agent—one that controls the registration burst rate to limit the number of new registration requests, and a second to set the time window for that burst rate. When the registration rate exceeds the burst rate you set, the Oracle Communications Session Border Controller responds to new registration requests with 503 Service Unavailable messages.

Note that this constraint is not applied to re-registers resulting from a 401 Unauthorized challenge request.

To configure overload protection for session agents:

  1. In Superuser mode, type configure terminal and press Enter.
    ORACLE# configure terminal
  2. Type session-router and press Enter to access the system-level configuration elements.
    ORACLE(configure)# session-router
  3. Type session-agent and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters.
    ORACLE(session-router)# session-agent
    ORACLE(session-agent)#
  4. constraints—Enable this parameter to set the sustained rate window constraint you configure in the next step. The default value is disabled. The valid values are:
    • enabled | disabled

  5. sustain-rate-window—Enter a number to set the sustained window period (in milliseconds) that is used to measure the sustained rate. The default value is zero (0). The valid range is:
    • Minimum—10

    • Maximum—4294967295

      The value you set here must be higher than or equal to the value you set for the burst rate window.

      Note:

      If you are going to use this parameter, you must set it to a minimum value of 10.
  6. max-register-sustain-rate—Enter a number to set the maximum number of registrations per second you want sent to the session agent. The default value is zero (0), disabling the parameter. The valid range is:
    • Minimum—0

    • Maximum—4294967295

  7. register-burst-window—Define the window size in seconds for the maximum number of allowable SIP registrations. 0 is the minimum and default value for this parameter; the maximum value is 999999999.
  8. max-register-burst-rate—Enter the maximum number of new registrations you want this session agent to accept within the registration burst rate window. If this threshold is exceeded, the Oracle Communications Session Border Controller will respond to new registration requests with 503 Service Unavailable messages. 0 is the minimum and default value for this parameter; the maximum value is 999999999.
  9. Save and activate your configuration.

DDoS Protection from Devices Behind a NAT

A DDoS attack could be crafted such that multiple devices from behind a single NAT could overwhelm the Oracle Communications Session Border Controller. The Oracle Communications Session Border Controller would not detect this as a DDoS attack because each endpoint would have the same source IP but multiple source ports. Because the Oracle Communications Session Border Controller allocates a different CAM entry for each source IP:Port combination, this attack will not be detected. This feature remedies such a possibility.

Restricting the Number of Endpoints behind a NAT

Each new source IP address and source IP port combination now counts as an endpoint for a particular NAT device. After the configured value of a single NAT’s endpoints is reached, subsequent messages from behind that NAT are dropped and the NAT is demoted. This is set with the max-endpoints-per-nat parameter located in both the access-control and realm-config configuration elements.

Counting Invalid Messages from Endpoints behind a NAT

The Oracle Communications Session Border Controller also counts the number of invalid messages sent from endpoints behind the NAT. Once a threshold is reached, that NAT is demoted. Numerous conditions are counted as Errors/Invalid Messages from an endpoint. The aggregate of all messages from endpoints behind the NAT are counted against the NAT device, in addition to the existing count against the endpoint. This threshold is set with the nat-invalid-message-threshold parameter located in both the access-control and realm-config configuration elements.

As a unique case, the absence of a REGISTER message following a 401 response is counted as an invalid message from the end point. And if that endpoint is behind a NAT, this scenario will be counted as invalid message from that NAT device as well. You set a timeout period in which the REGISTER message must arrive at the Oracle Communications Session Border Controller. This period is set with the wait-time-for-invalid-register parameter located in the realm config.

DDoS Protection Configuration realm-config

To set the DDoS Protection from devices behind NATs in the realm-config:

  1. Access the realm-config configuration element.
    ORACLE# configure terminal
    ORACLE(configure)# media-manager
    ORACLE(media-manager)# realm-config
    ORACLE(realm-config)# 
  2. Select the realm-config object to edit.
    ORACLE(realm-config)# select
    identifier:
    1: realm01 left-left:0 0.0.0.0
    
    selection: 1
    ORACLE(realm-config)#
  3. max-endpoints-per-nat— Set the maximum number of endpoints that can exist behind a NAT before demoting the NAT device. Valid values are 0-65535, with 0 disabling this feature. This parameter is also found in the access control configuration element.
  4. nat-invalid-message-threshold—Set the maximum number of invalid messages that may originate behind a NAT before demoting the NAT device. Valid values are 0-65535, with 0 disabling this feature. This parameter is also found in the access control configuration element.
  5. wait-time-for-invalid-register—Set the period (in seconds) that the Oracle Communications Session Border Controller counts before considering the absence of the REGISTER message as an invalid message.
  6. Type done to save your configuration.

DDoS Protection Configuration access-control

To set the DDoS Protection from devices behind NATs in the access-control configuration element:

  1. Access the access-control configuration element.
    ORACLE# configure terminal
    ORACLE(configure)# session-router
    ORACLE(session-router)# access-control
    ORACLE(access-control)#
  2. Type select to choose and configure an existing object.
    ORACLE(access-control)# select
    <src-ip>:
    1: src 0.0.0.0; 0.0.0.0; realm01; ; ALL
    selection:1
  3. max-endpoints-per-nat— Set the maximum number of endpoints that can exist behind a NAT before demoting the NAT device. Valid values are 0-65535, with 0 disabling this feature. This parameter is also found in the access control configuration element.
  4. nat-invalid-message-threshold—Set the maximum number of invalid messages that may originate behind a NAT before demoting the NAT device. Valid values are 0-65535, with 0 disabling this feature. This parameter is also found in the access control configuration element.
  5. Type done to save your work and continue.

SNMP Trap support

The Oracle Communications Session Border Controller sends the following trap when a NAT device is blocklisted due to the triggers listed. The trap does not include reasons, which are available from the syslogs.

apSysMgmtExpDOSTrap     NOTIFICATION-TYPE
        OBJECTS         { apSysMgmtDOSIpAddress,  apSysMgmtDOSRealmID ,
                          apSysMgmtDOSFromUri }
        STATUS          deprecated
        DESCRIPTION
              "This trap is generated when an IP is placed on a blocklist due
              to denial-of-service attempts, and provides the IP address that
              has been demoted, the realm-id of that IP, and (if available)
              the URI portion of the SIP From header of the message that
              caused the demotion."
        ::= { apSysMgmtDOSNotifications 2 }

Ensure that the enable-snmp-monitor-traps parameter in the system-config configuration element is enabled for the Oracle Communications Session Border Controller to send out this trap.

Syslog Support

Set the syslog-on-demote-to-deny parameter in the media-manager-config to enabled to generate syslog on endpoint demotion from untrusted to deny. NAT device demotion will also generate a unique syslog message with accompanying text explaining that it is the NAT device demotion event.

Debugging

The show sip acl command now includes counts of Blocked NAT devices.

ACMEPACKET# show sipd acl
13:57:28-71
SIP ACL Status            -- Period -- -------- Lifetime --------
                Active    High   Total      Total  PerMax    High
Total Entries        0       0       0          0       0       0
Trusted              0       0       0          0       0       0
Blocked              0       0       0          0       0       0
Blocked NATs         0       0       0          0       0       0
ACL Operations         ---- Lifetime ----
                Recent      Total  PerMax
ACL Requests         0          0       0
Bad Messages         0          0       0
Promotions           0          0       0
Demotions            0          0       0
Trust->Untrust       0          0       0
Untrust->Deny        0          0       0

DoS Threshold Configuration

This section describes how to configure DoS traffic thresholds to alert you of high traffic conditions.

  1. Access the media-manager configuration element
    ORACLE# configure terminal
    ORACLE(configure)# media-manager
    ORACLE(media-manager)# media-manager
    ORACLE(media-manager-config)# select
  2. dos-guard-window—Specifies the window of time for measuring traffic volume within which the DoS alert thresholds may be triggered. When the window expires, the system checks to see if the traffic has fallen below the configured thresholds. If so, the system sets the counters back to zero. If not, the system waits for the duration of the window and checks again. The system does this 5 times.
  3. untrusted-minor-threshold—Defines the percentage of the untrusted bandwidth that triggers a minor alert for this threshold. When triggered, the system sends an alarm and a trap. Set the value to zero to disarm this threshold for alert events.
  4. untrusted-major-threshold—Specifies the percentage of the untrusted bandwidth that triggers a major alert for this threshold. When triggered, the system sends an alarm and a trap. Set the value to zero to disarm this threshold for alert events.
  5. untrusted-critical-threshold—Specifies the percentage of the untrusted bandwidth that triggers a critical alert for this threshold. When triggered, the system sends an alarm and a trap. Set the value to zero to disarm this threshold for alert events.
  6. trusted-minor-threshold—Specifies the percentage of the trusted bandwidth that triggers a minor alert for this threshold. When triggered, the system sends an alarm and a trap. Set the value to zero to disarm this threshold for alert events.
  7. trusted-major-threshold—Specifies the percentage of the trusted bandwidth that triggers a major alert for this threshold. When triggered, the system sends an alarm and a trap. Set the value to zero to disarm this threshold for alert events.
  8. trusted-critical-threshold—Specifies the percentage of the trusted bandwidth that triggers a critical alert for this threshold. When triggered, the system sends an alarm and a trap. Set the value to zero to disarm this threshold for alert events.
  9. arp-minor-threshold—Specifies the percentage of the arp bandwidth that triggers a minor alert for this threshold. When triggered, the system sends an alarm and a trap. Set the value to zero to disarm this threshold for alert events.
  10. arp-major-threshold— Specifies the percentage of the arp bandwidth that triggers a major alert for this threshold. When triggered, the system sends an alarm and a trap. Set the value to zero to disarm this threshold for alert events.
  11. arp-critical-threshold— Specifies the percentage of the arp bandwidth that triggers a critical alert for this threshold. When triggered, the system sends an alarm and a trap. Set the value to zero to disarm this threshold for alert events.
  12. Type done to save your configuration.

Configure DOS Protection at the Session Level

You configure Session Level DoS Protection on the SBC on either the realm-config or the session-agent elements. The session-agent configuration takes precedence. This procedure makes this configuration on a realm-config, which allows the procedure to include required realm configuration which is not available from a session-agent. These settings are still, however, required on the realm to which that session-agent belongs.

To set the dos-action-at-session parameter:

  1. In Superuser mode, type configure terminal and press Enter.
    ORACLE# configure terminal
  2. Access the session-router branch.
    ORACLE(configure)# media-manager
    ORACLE(media-manager)#
  3. Type realm-config and press Enter.
    ORACLE(media-manager)# realm-config
    ORACLE(realm-config)#
  4. Select the applicable agent or create a new one.
  5. access-control-trust-level——For session-based DoS protection, you must set this parameter to high.
    • default - none
    • High
    • Medium
    • Low
  6. dos-action-at-session—Specify the system's behavior for reacting to session-based DoS attacks.
    • none—(default) The system takes no action during a DoS attack.
    • permit—If the endpoint initiates the DoS attack at the session level, the system can demote or deny the endpoint. At first detection of a DoS attack, the system demotes the endpoint from trusted to untrusted. If there is a second DoS attack before the UNTRUST_TMO timer expires, the system further demotes the endpoint to deny.
    • no-deny—If the endpoint initiates the DoS attack at the session level, the system can demote the endpoint to untrusted. When the UNTRUST_TMO timer expires, the system promotes the endpoint back to the trusted state.
    • session-drop—If the endpoint initiates the DoS attack at the session level, the system takes action on that session only. Specifically, the system terminates the existing session but does not demote or deny the endpoint.
    When configuring this feature on a session-agent, the value "inherit" is also available. For session-agent, "inherit" is the default value for the parameter, and instructs the system to use your session-level DoS configuration on the applicable realm-config.
  7. max-inbound-per-session-burst-rate—Defines the max allowed burst rate of requests/responses received in a session. Default value is 30. It can be configured to higher value based on the actual packet runrate.
    • default - 30
    • Range - 0 - 999999999
  8. burst-rate-window-per-session—Defines the total window size (in seconds) for which the burst rate of packets will be monitored in a session. A timer window will start with value configured in burst-rate-window-per-session and the timer window will reset to 0 on timeout. The timer window will run in loop after each expiry. Default value is 1, which means 1 sec monitoring window will run.
    • default - 1
    • Range - 0 - 999999999
  9. deny-period—The system uses this configured values as the window within which an endpoint can be promoted from denied to untrusted.
  10. Save your configuration.
This feature is RTC-supported