Configuring DoS Security

This section explains how to configure the Oracle® Enterprise Session Border Controller for DoS protection.

Configuration Overview

Configuring Oracle® Enterprise Session Border Controller DoS protection includes masking source IP and port parameters to include more than one match and configuring guaranteed minimum bandwidth for trusted and untrusted signaling path. You can also configure signaling path policing parameters for individual source addresses. Policing parameters are defined as peak data rate (in bytes/sec), average data rate (in bytes/sec), and maximum burst size.

You can configure deny list rules based on the following:

ingress realm
source IP address
source port
transport protocol (TCP/UDP)
application protocol (SIP or H.323)

Exercise caution when configuring ACLs, noting that the syntax of your entry is correct. The E-SBC sets ACL fields with incorrect syntax to their defaults.

For example, the default source IP address for an ACL is 0.0.0.0. If using dynamic ACLs, this default address can overwrite the applicable realm's default ACL. If this ACL also has the default trust level of none, it would prevent the E-SBC from promoting any traffic on that realm to trusted.

Confirm the syntax of your configured ACLs before you save and activate them.

Changing the Default Oracle® Enterprise Session Border Controller Behavior

The Oracle® Enterprise Session Border Controller automatically creates permit untrusted ACLs that let all sources (address prefix of 0.0.0.0/0) reach each configured realm’s signaling interfaces, regardless of the realm’s address prefix. To deny sources or classify them as trusted, you create static or dynamic ACLs, and the global permit untrusted ACL to specifically deny sources or classify them as trusted. Doing this creates a default permit-all policy with specific deny and permit ACLs based on the realm address prefix.

You can change that behavior by configuring static ACLs for realms with the same source prefix as the realm’s address prefix; and with the trust level set to the same value as the realm. Doing this prevents the permit untrusted ACLs from being installed. You then have a default deny all ACL policy with specific static permit ACLs to allow packets into the system.

Example 1 Limiting Access to a Specific Address Prefix Range

The following example shows how to install a permit untrusted ACL of source 12.34.0.0/16 for each signalling interface/port of a realm called access. Only packets from within the source address prefix range 12.34.0.0/16, destined for the signaling interfaces/port of the realm named access, are allowed. The packets go into untrusted queues until they are dynamically demoted or promoted based on their behavior. All other packets are denied/dropped.

Configure a realm called access and set the trust level to low and the address prefix to 12.34.0.0/16.
Configure a static ACL with a source prefix of 12.34.0.0/16 with the trust level set to low for the realm named access.

Example 2 Classifying the Packets as Trusted

Building on Example 1, this example shows how to classify all packets from 12.34.0.0/16 to the realm signaling interfaces as trusted and place them in a trusted queue. All other packets from outside the prefix range destined to the realm’s signaling interfaces are allowed and classified as untrusted; then promoted or demoted based on behavior.

You do this by adding a global permit untrusted ACL (source 0.0.0.0) for each signaling interface/port of the access realm. You configure a static ACL with a source prefix 12.34.0.0/16 and set the trust level to high.

Adding this ACL causes the Oracle® Enterprise Session Border Controller to also add a permit trusted ACL with a source prefix of 12.34.0.0/16 for each signaling interface/port of the access realm. This ACL is added because the trust level of the ACL you just added is high and the realm’s trust level is set to low. The trust levels must match to remove the global permit trusted ACL.

Example 3 Installing Only Static ACLs

This example shows you how to prevent the Oracle® Enterprise Session Border Controller from installing the global permit (0.0.0.0) untrusted ACL.

Configure a realm with a trust level of none.
Configure static ACLs for that realm with the same source address prefix as the realm’s address prefix, and set the trust level to any value.

The system installs only the static ACLs you configure.

Access Control List Configuration

To configure access control lists:

Access the access-control configuration element.

ACMEPACKET# configure terminal
ACMEPACKET(configure)# session-router
ACMEPACKET(session-router)# access-control
ACMEPACKET(access-control)#

Type select to choose and configure an existing object.

ACMEPACKET(access-control)# select
<src-ip>:
1: src 0.0.0.0; 0.0.0.0; realm01; ; ALL

realm-id—Enter the ID of the host’s ingress realm.
source-address—Enter the source IPv4 address and port number for the host in the following format:
```
<IP address>[/number of address bits>][:<port>][/<port bits>]
```
For example:
```
10.0.0.1/24:5000/14
10.0.0.1/16
10.0.0.1/24:5000
10.0.0.1:5000
```
You do not need to specify the number of address bits if you want all 32 bits of the address to be matched. You also do not need to specify the port bits if you want the exact port number matched. If you do not set the port mask value or if you set it to 0, the exact port number will be used for matching. The default value is 0.0.0.0.
destination-address—(Is ignored if you configure an application protocol in step 7.) Enter the destination IPv4 address and port for the destination in the following format:
```
<IP address>[/number of address bits>][:<port>[/<port bits>]]
```
You do not need to specify the number of address bits if you want all 32 bits of the address to be matched. You also do not need to specify the port bits if you want the exact port number matched. If you do not set the port mask value or if you set it to 0, the exact port number will be used for matching. The default value is 0.0.0.0.
application-protocol—Enter the application protocol type for this ACL entry. The valid values are:
- SIP | H.323 | None
  
  Note:
  If application-protocol is set to none, the destination-address and port will be used. Ensure that your destination-address is set to a non-default value (0.0.0.0.)
transport-protocol—Select the transport-layer protocol configured for this ACL entry. The default value is ALL. The valid values are:
- ALL | TCP | UDP
access—Enter the access control type or trusted list based on the trust-level parameter configuration for this host. The default value is permit. The valid values are:
- permit—Puts the entry into the untrusted list. The entry is promoted or demoted according to the trust level set for this host.
- deny—Puts the entry in the deny list.
average-rate-limit—Indicate the sustained rate in bytes per second for host path traffic from a trusted source within the realm. The default value is 0. A value of 0 means policing is disabled. The valid range is:
- Minimum—0
- Maximum—999999999
trust-level—Indicate the trust level for the host with the realm. The default value is none. The valid values are:
- none—Host is always untrusted. It is never promoted to the trusted list or demoted to the deny list.
- low—Host can be promoted to the trusted list or demoted to the deny list.
- medium—Host can be promoted to the trusted list but is only demoted to untrusted. It is never added to the deny list.
- high—Host is always trusted.
invalid-signal-threshold— Enter the number of invalid signaling messages that trigger host demotion. The value you enter here is only valid when the trust level is low or medium. Available values are:
- Minimum—Zero (0) is disabled.
- Maximum—999999999
  
  If the number of invalid messages exceeds this value based on the tolerance window parameter, configured in the media manager, the host is demoted.
  
  The tolerance window default is 30 seconds. Bear in mind, however, that the system uses the same calculation it uses for specifying "recent" statistics in show commands to determine when the number of signaling messages exceeds this threshold. This calculation specifies a consistent start time for each time period to compensate for the fact that the event time, such as a user running a show command, almost never falls on a time-period's border. This provides more consistent periods of time for measuring event counts.
  
  The result is that this invalid signal count increments for two tolerance windows, 60 seconds by default, within which the system monitors whether or not to demote the host. The signal count for the current tolerance window is always added to the signal count of the previous tolerance window and compared against your setting.
maximum-signal-threshold—Set the maximum number of signaling messages the host can send within the tolerance window. The value you enter here is only valid when the trust level is low or medium. The default value is 0, disabling this parameter. The valid range is:
- Minimum—0
- Maximum—999999999
  
  If the number of messages received exceeds this value within the tolerance window, the host is demoted.
untrusted-signal-threshold—Set the maximum number of untrusted messages the host can send within the tolerance window. Use to configure different values for trusted and un-trusted endpoints for valid signaling message parameters. Also configurable per realm. The default value is 0, disabling this parameter. The valid range is:
- Minimum—0
- Maximum—999999999
deny-period—Indicate the time period in seconds after which the entry for this host is removed from the deny list. The default value is 30. The valid range is:
- Minimum—0
- Maximum—999999999

nat-trust-threshold—Enter the number of endpoints behind a NAT that must be denied for the Oracle® Enterprise Session Border Controller to demote the NAT device itself to denied (dynamic demotion of NAT devices). The default is 0, meaning dynamic demotion of NAT devices is disabled. The range is from 0 to 65535.

The following example shows access control configured for a host in the external realm.

access-control
        realm-id                       external
        source-address                 192.168.200.215
        destination-address            192.168.10.2:5000
        application-protocol           SIP
        transport-protocol             ALL
        access                         permit
        average-rate-limit             3343
        trust-level                    low
        invalid-signal-threshold       5454
        maximum-signal-threshold       0
        untrusted-signal-threshold     0
        deny-period                    0

The following example of how to configure a black-list entry:

access-control
        realm-id                       external
        source-address                 192.168.200.200
        destination-address            192.168.10.2:5000
        application-protocol           SIP
        transport-protocol             ALL
        access                         deny
        average-rate-limit             0
        trust-level                    none
        invalid-signal-threshold       0
        maximum-signal-threshold       0
        untrusted-signal-threshold     0
        deny-period                    0

Host Access Policing

You can configure the Oracle® Enterprise Session Border Controller to police the overall bandwidth of the host path.

To configure host access policing:

Access the media-manager-config configuration element.

ORACLE# configure terminal
ORACLE(configure)# media-manager
ORACLE(media-manager)# media-manager
ORACLE(media-manager-config)#

Type select to begin editing.

ORACLE(media-manager-config)# select

ORACLE(media-manager-config)#

max-signaling-bandwidth—Set the maximum bandwidth available for the host path in bytes per second, which includes signaling messages from trusted sources, untrusted sources, and any management traffic on media ports. This setting applies to the following platforms, only: Acme Packet 4600, Acme Packet 6100, Acme Packet 6300, and Acme Packet 6350. Default: 1000000. Range: 71000-10000000.
max-signaling-packet—Set the maximum bandwidth available for the host path in packets per second, which includes signaling messages from trusted sources, untrusted sources, and any management traffic on media ports. This setting applies to the following platforms, only: Acme Packet 1100, Acme Packet 3900, and virtual. The default setting corresponds to the maximum value allowed by the platform, as follows:
- Acme Packet 1100: 10000
- Acme Packet 3900: 40000
- Virtual: System dependent.
max-untrusted-signaling—Set the percentage of the maximum signaling bandwidth you want to make available for messages coming from untrusted sources. This bandwidth is available only when not being used by trusted sources. Default: 100. Range:1-100.
min-untrusted-signaling—Set the percentage of the maximum signaling bandwidth you want reserved for untrusted sources. The rest of the bandwidth is available for trusted resources, but can also be used for untrusted sources per max-untrusted-signaling. Default: 30. Range: 1-100.
fragment-msg-bandwidth—(Only available on the Acme Packet 3820 and Acme Packet 4500) Enter the amount of bandwidth to use for the fragment packet queue. When set to 0, the Oracle® Enterprise Session Border Controlleruses the same queue for and sharing bandwidth between untrusted packets and fragment packets. Default: zero. Range: 0-10000000.
tolerance-window—Set the size of the window used to measure host access limits for measuring the invalid message rate and maximum message rate for the realm configuration. Default: 30. Range: 0-999999999.
Save and activate the configuration.

Configuring ARP Flood Protection

You do not need to configure the Oracle® Enterprise Session Border Controller to enable the use of two separate ARP queues; that feature is enabled automatically.

If you want to configure the ARP queue policing rate, you can do so in the media manager configuration.

Note:

this feature is not RTC-supported, and you must reboot your Oracle® Enterprise Session Border Controller in order for your configuration changes to take effect.

To set the ARP queue policing rate:

In Superuser mode, type configure terminal and press Enter.
```
ORACLE# configure terminal
```

Type media-manager and press Enter.

ORACLE(configure)# media-manager
ORACLE(media-manager)#

Enter media-manager and press <Enter:.

ORACLE(media-manager)# media-manager
ORACLE(media-manager-config)#

arp-msg-bandwidth—Enter the rate at which you want the Oracle® Enterprise Session Border Controller to police the ARP queue; the value you enter is the bandwidth limitation in bytes per second. The default value is 32000. The valid range is:
- Minimum—2000
- Maximum—200000
Save your configuration.
Reboot your Oracle® Enterprise Session Border Controller.

Access Control for a Realm

Each host within a realm can be policed based on average rate, peak rate, and maximum burst size of signaling messages. These parameters take effect only when the host is trusted. You can also set the trust level for the host within the realm. All untrusted hosts share the bandwidth defined for the media manager: maximum untrusted bandwidth and minimum untrusted bandwidth.

To configure access control for a realm:

In Superuser mode, type configure terminal and press Enter.
```
ORACLE# configure terminal
```
Type media-manager and press Enter to access the system-level configuration elements.
```
ORACLE(configure)# media-manager
```
Type realm-config and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters.
```
ORACLE(media-manager)# realm-config
ORACLE(realm-config)#
```
addr-prefix—Set the IP address prefix used to determine if an IP address is associated with the realm. This value is then associated with the ACLs you create to determine packet access. The default value is 0.0.0.0.
average-rate-limit—Set the sustained rate for host path traffic from a trusted source within the realm in bytes per second. The default value is zero (0), disabling this parameter. The valid range is:
- Minimum—0
- Maximum—4294967295
access-control-trust-level—Set the trust level for the host within the realm. The default value is none. The valid values are:
- none—Host is always untrusted. It is never promoted to the trusted list or demoted to the deny list.
- low—Host can be promoted to the trusted list or demoted to the deny list.
- medium—Host can be promoted to the trusted list but is only demoted to untrusted. It is never added to the deny list.
- high—Host is always trusted.
invalid-signal-threshold— Enter the number of invalid signaling messages that trigger host demotion. The value you enter here is only valid when the trust level is low or medium. Available values are:
- Minimum—Zero (0) is disabled.
- Maximum—999999999
  
  If the number of invalid messages exceeds this value based on the tolerance window parameter, configured in the media manager, the host is demoted.
  
  The tolerance window default is 30 seconds. Bear in mind, however, that the system uses the same calculation it uses for specifying "recent" statistics in show commands to determine when the number of signaling messages exceeds this threshold. This calculation specifies a consistent start time for each time period to compensate for the fact that the event time, such as a user running a show command, almost never falls on a time-period's border. This provides more consistent periods of time for measuring event counts.
  
  The result is that this invalid signal count increments for two tolerance windows, 60 seconds by default, within which the system monitors whether or not to demote the host. The signal count for the current tolerance window is always added to the signal count of the previous tolerance window and compared against your setting.
maximum-signal-threshold—Set the maximum number of signaling messages one host can send within the window of tolerance. The host is demoted if the number of messages received by the Oracle® Enterprise Session Border Controller exceeds the number set here. Valid only when the trust level is set to low or medium. The default value is zero (0), disabling this parameter. The valid range is:
- Minimum—0
- Maximum—4294967295
untrusted-signal-threshold—Set the maximum number of untrusted messages the host can send within the tolerance window. Use to configure different values for trusted and un-trusted endpoints for valid signaling message parameters. Also configurable per realm. The default value is zero (0), disabling the parameter. The valid range is:
- Minimum—0
- Maximum—4294967295
deny-period—Set the length of time an entry is posted on the deny list. The host is deleted from the deny lost after this time period. The default value is 30. A value of 0 disables the parameter. The valid range is:
- Minimum—0
- Maximum—4294967295

The following example shows a host access policing configuration.

realm-config
        identifier                     private
        addr-prefix                    192.168.200.0/24
        network-interfaces
                                       prviate:0
        mm-in-realm                    disabled
        mm-in-network                  enabled
        msm-release                    disabled
        qos-enable                     disabled
        max-bandwidth                  0
        ext-policy-svr
        max-latency                    0
        max-jitter                     0
        max-packet-loss                0
        observ-window-size             0
        parent-realm
        dns-realm
        media-policy
        in-translationid
        out-translationid
        class-profile
        average-rate-limit             8000
        access-control-trust-level     medium
        invalid-signal-threshold       200
        maximum-signal-threshold       0
        untrusted-signal-threshold     500
        deny-period                    30
        symmetric-latching             disabled
        pai-strip                      disabled
        trunk-context

Configuring Overload Protection for Session Agents

The Oracle® Enterprise Session Border Controller offers two methods to control SIP registrations to smooth the registration flow.

You can limit the:

number of new register requests sent to a session agent (using the max-register-sustain-rate parameter)
burstiness which can be associated with SIP registrations

The first method guards against the Oracle® Enterprise Session Border Controller’s becoming overwhelmed with register requests, while the second method guards against a transient registration that can require more than available registration resources.

SIP registration burst rate control allows you to configure two new parameters per SIP session agent—one that controls the registration burst rate to limit the number of new registration requests, and a second to set the time window for that burst rate. When the registration rate exceeds the burst rate you set, the Oracle® Enterprise Session Border Controller responds to new registration requests with 503 Service Unavailable messages.

Note that this constraint is not applied to re-registers resulting from a 401 Unauthorized challenge request.

To configure overload protection for session agents:

In Superuser mode, type configure terminal and press Enter.
```
ORACLE# configure terminal
```
Type session-router and press Enter to access the system-level configuration elements.
```
ORACLE(configure)# session-router
```
Type session-agent and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters.
```
ORACLE(session-router)# session-agent
ORACLE(session-agent)#
```
constraints—Enable this parameter to set the sustained rate window constraint you configure in the next step. The default value is disabled. The valid values are:
- enabled | disabled
sustain-rate-window—Enter a number to set the sustained window period (in milliseconds) that is used to measure the sustained rate. The default value is zero (0). The valid range is:
- Minimum—10
- Maximum—4294967295
  
  The value you set here must be higher than or equal to the value you set for the burst rate window.
  
  Note:
  If you are going to use this parameter, you must set it to a minimum value of 10.
max-register-sustain-rate—Enter a number to set the maximum number of registrations per second you want sent to the session agent. The default value is zero (0), disabling the parameter. The valid range is:
- Minimum—0
- Maximum—4294967295
register-burst-window—Define the window size in seconds for the maximum number of allowable SIP registrations. 0 is the minimum and default value for this parameter; the maximum value is 999999999.
max-register-burst-rate—Enter the maximum number of new registrations you want this session agent to accept within the registration burst rate window. If this threshold is exceeded, the Oracle® Enterprise Session Border Controller will respond to new registration requests with 503 Service Unavailable messages. 0 is the minimum and default value for this parameter; the maximum value is 999999999.
Save and activate your configuration.