The multi-level ECB DoS protection consists of the following strategies:

• Fast path filtering/access control—Access control for signaling packets destined for the ECB host processor as well as media (RTP) packets. The ECB performs media filtering by using the existing dynamic pinhole firewall capabilities. Fast path filtering packets destined for the host processor require the configuration and management of a trusted, untrusted and a deny list for each ECB realm (although the actual devices can be dynamically trusted or denied by the ECB based on configuration). You do not have to provision every endpoint/device on the ECB, but instead retain the default values.
• Host path protection—Includes flow classification, host path policing and unique signaling flow policing. Fast path filtering alone cannot protect the ECB host processor from being overwhelmed by a malicious attack from a trusted source. The host path and individual signaling flows must be policed to ensure that a volume-based attack will not overwhelm the ECB’s normal call processing; and subsequently not overwhelm systems beyond it.

  The ECB must classify each source based on its ability to pass certain criteria that is signaling- and application-dependent—At first each source is considered untrusted with the possibility of being promoted to fully trusted. The ECB maintains two host paths, one for each class of traffic (trusted and untrusted), with different policing characteristics to ensure that fully trusted traffic always gets precedence.

• Host-based malicious source detection and isolation/dynamic deny list—Malicious sources can be automatically detected in real-time and denied in the fast path to block them from reaching the host processor.