The multi-level Communications Broker DoS protection consists of the following strategies:

• Fast path filtering/access control—Access control for signaling packets destined for the Communications Broker host processor as well as media (RTP) packets. The Communications Broker performs media filtering by using the existing dynamic pinhole firewall capabilities. Fast path filtering packets destined for the host processor require the configuration and management of a trusted, untrusted and a deny list for each Communications Broker realm (although the actual devices can be dynamically trusted or denied by the Communications Broker based on configuration). You do not have to provision every endpoint/device on the Communications Broker, but instead retain the default values.
• Host path protection—Includes flow classification, host path policing and unique signaling flow policing. Fast path filtering alone cannot protect the Communications Broker host processor from being overwhelmed by a malicious attack from a trusted source. The host path and individual signaling flows must be policed to ensure that a volume-based attack will not overwhelm the Communications Broker’s normal call processing; and subsequently not overwhelm systems beyond it.

  The Communications Broker must classify each source based on its ability to pass certain criteria that is signaling- and application-dependent—At first each source is considered untrusted with the possibility of being promoted to fully trusted. The Communications Broker maintains two host paths, one for each class of traffic (trusted and untrusted), with different policing characteristics to ensure that fully trusted traffic always gets precedence.

• Host-based malicious source detection and isolation/dynamic deny list—Malicious sources can be automatically detected in real-time and denied in the fast path to block them from reaching the host processor.