Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
auth-failure-weight weightweight must be an integer from 1 to 5.Use this command to define the severity of an authorization failure. This parameter is used in calculating the current number of authorization failures to compare to the per-aor-failure-limit and the per-ip-failure-limit. Configuring this command with a lower number causes the system to suspend registration attempts with repeated authorization failures much sooner than when configured with a higher number.The following command assigns a weight of 3 to an authorization failure:Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
bad-request-weight weightweight must be an integer from 1 to 5.Use this command to define the severity of bad registration request. This parameter is used in calculating the current number of request failures to compare to the per-aor-failure-limit and the per-ip-failure-limit. Configuring this command with a lower number causes the system to suspend registration attempts with repeated request failures much sooner than when configured with a higher number.The following command assigns a weight of 3 to a bad registration request:Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
forking-contact-limit limitlimit must be an integer from 0 to 10.The following command limits all users to 2 registered contacts on the system:Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
greylist-duration timetime must be an integer from 5 to 1,440.Use this command to specify the amount of time AoRs or IP addresses remain on a “grey list” after having crossed the registration authorization limit or the bad registration request limit. Limits are described in the per-aor-failure-limit command and the per-ip-failure-limit command.Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
per-aor-failure-limit limitDefines the threshold for registration failures based on a calculation using weighted multipliers defined in auth-failure-weight and bad-request-weight.limit must be an integer from 5 to 10,000.Current authorization failures ÷ auth-failure-weight = current failures per AoRTotal bad registration requests ÷ bad-request-weight = current failures per AoRIf auth-failure-weight = 2 and bad-request-weight = 1, and the per-aor-failure-limit = 100, then the tolerance for registration authentication failures = 50 per AoR and the tolerance for bad registration requests = 100 per AoR.When an AoR reaches the failure limit, it is added to a “grey list” for a period of time as defined by the greylist-duration command.Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
per-ip-failure-limit limitDefines the threshold for registration failures based on a calculation using weighted multipliers defined in auth-failure-weight and bad-request-weight.limit must be an integer from 5 to 10,000.Current authorization failures ÷ auth-failure-weight = current failures per AoRTotal bad registration requests ÷ bad-request-weight = current failures per AoRIf auth-failure-weight = 2 and bad-request-weight = 1, and the per-ip-failure-limit = 200, then the tolerance for registration authentication failures = 100 per each IP address and the tolerance for bad registration requests = 200 per each IP address.When an IP address reaches the failure limit, it is added to a “grey list” for a period of time as defined by the greylist-duration command.Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
threshold-rate raterate must be an integer from 1 to 1,000.The following command sets the threshold rate to 5 bad requests per second:
![]() |
Cisco Systems Inc. |
Tel: 408-526-4000 |
Fax: 408-527-0883 |