CSCF Security Configuration Mode Commands


CSCF Security Configuration Mode Commands
 
 
The CSCF Security Configuration Mode is used to configure Denial of Service (DOS) prevention commands.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
auth-failure-weight
Sets a severity number for authorization failures used in calculating a value for determining when to suspend registration attempts.
Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
Product
SCM (P-CSCF, A-BG)
Privilege
Security Administrator, Administrator
Syntax
auth-failure-weight weight
default auth-failure-weight
weight
Default: 1
Assigns a weight to an authorization failure. Defines the severity of a single authorization failure.
weight must be an integer from 1 to 5.
default
Sets /restores the default value assigned to the specified command.
Usage
Use this command to define the severity of an authorization failure. This parameter is used in calculating the current number of authorization failures to compare to the per-aor-failure-limit and the per-ip-failure-limit. Configuring this command with a lower number causes the system to suspend registration attempts with repeated authorization failures much sooner than when configured with a higher number.
Example
The following command assigns a weight of 3 to an authorization failure:
auth-failure-weight 3
 
bad-request-weight
Sets a severity number for bad registration requests used in calculating a value for determining when to suspend registration attempts.
Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
Product
SCM (P-CSCF, A-BG)
Privilege
Security Administrator, Administrator
Syntax
bad-request-weight weight
default bad-request-weight
weight
Default: 2
Assigns a weight to a bad registration request. Defines the severity of a single bad request.
weight must be an integer from 1 to 5.
default
Sets /restores the default value assigned to the specified command.
Usage
Use this command to define the severity of bad registration request. This parameter is used in calculating the current number of request failures to compare to the per-aor-failure-limit and the per-ip-failure-limit. Configuring this command with a lower number causes the system to suspend registration attempts with repeated request failures much sooner than when configured with a higher number.
Example
The following command assigns a weight of 3 to a bad registration request:
bad-request-weight 3
 
dos-prevention
Enables the denial of service prevention feature.
Product
SCM (P-CSCF, A-BG)
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] dos-prevention
[ default | no ]
Disables the denial of service prevention feature.
Usage
Use this command to enable the denial of service prevention feature. The default value for this command is disabled. When this command is enabled, the commands in this mode are enabled with default values configured.
Important: This command must be enabled before configuring other commands in this mode.
 
end
Exits the current mode and returns to the Exec Mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Change the mode back to the Exec mode.
 
exit
Exits the current mode and returns to the previous mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Return to the previous mode.
 
forking-contact-limit
Sets a limit on the number of contacts a user ID can register with the system.
Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
Product
SCM (P-CSCF, A-BG)
Privilege
Security Administrator, Administrator
Syntax
forking-contact-limit limit
default forking-contact-limit
limit
Default: 0
Sets the maximum number of contacts a user ID can register with the system. 0 specifies that unlimited contacts can be registered per user ID.
limit must be an integer from 0 to 10.
default
Sets /restores the default value assigned to the specified command.
Usage
Use this command to limit the number of contacts a user ID can register with the system.
Example
The following command limits all users to 2 registered contacts on the system:
forking-contact-limit 2
 
greylist-duration
Configures the amount of time an AoR or IP address remains on a “grey list” after having crossed the registration authorization limit or the bad registration request limit.
Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
Product
SCM (P-CSCF, A-BG)
Privilege
Security Administrator, Administrator
Syntax
greylist-duration time
default greylist-duration
time
Default: 10
Defines the time, in minutes, that an AoR or IP address remains on a “grey list”.
time must be an integer from 5 to 1,440.
default
Sets /restores the default value assigned to the specified command.
Usage
Use this command to specify the amount of time AoRs or IP addresses remain on a “grey list” after having crossed the registration authorization limit or the bad registration request limit. Limits are described in the per-aor-failure-limit command and the per-ip-failure-limit command.
Example
The following command sets the duration AoRs or IP addresses remain on a “grey list” to 30 minutes:
greylist-duration 30
 
per-aor-failure-limit
Sets a failure limit that, when exceeded, causes the suspension of registration attempts for the offending AoR.
Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
Product
SCM (P-CSCF, A-BG)
Privilege
Security Administrator, Administrator
Syntax
per-aor-failure-limit limit
default per-aor-failure-limit
limit
Default: 200
Defines the threshold for registration failures based on a calculation using weighted multipliers defined in auth-failure-weight and bad-request-weight.
limit must be an integer from 5 to 10,000.
default
Sets /restores the default value assigned to the specified command.
Usage
Use this command to set a failure limit for registration attempts from an identified AoR. The following calculation determines when this threshold is reached for a specific AoR:
Current authorization failures ÷ auth-failure-weight = current failures per AoR
or
Total bad registration requests ÷ bad-request-weight = current failures per AoR
If auth-failure-weight = 2 and bad-request-weight = 1, and the per-aor-failure-limit = 100, then the tolerance for registration authentication failures = 50 per AoR and the tolerance for bad registration requests = 100 per AoR.
When an AoR reaches the failure limit, it is added to a “grey list” for a period of time as defined by the greylist-duration command.
Example
The following command sets the AoR failure limit to 300:
per-aor-failure-limit 300
 
per-ip-failure-limit
Sets a failure limit that, when exceeded, causes the suspension of registration attempts for the offending IP address.
Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
Product
SCM (P-CSCF, A-BG)
Privilege
Security Administrator, Administrator
Syntax
per-ip-failure-limit limit
default per-ip-failure-limit
limit
Default: 100
Defines the threshold for registration failures based on a calculation using weighted multipliers defined in auth-failure-weight and bad-request-weight.
limit must be an integer from 5 to 10,000.
default
Sets /restores the default value assigned to the specified command.
Usage
Use this command to set a failure limit for registration attempts from an identified IP address. The following calculation determines when this threshold is reached for any IP address:
Current authorization failures ÷ auth-failure-weight = current failures per AoR
or
Total bad registration requests ÷ bad-request-weight = current failures per AoR
If auth-failure-weight = 2 and bad-request-weight = 1, and the per-ip-failure-limit = 200, then the tolerance for registration authentication failures = 100 per each IP address and the tolerance for bad registration requests = 200 per each IP address.
When an IP address reaches the failure limit, it is added to a “grey list” for a period of time as defined by the greylist-duration command.
Example
The following command sets the IP address registration failure limit to 200:
per-ip-failure-limit 200
 
threshold-rate
Configures the rate per second at which the system must receive bad requests before it considers the requests a DoS attack.
Important: The system will ignore the configuration of this command unless the dos-prevention command has been enabled.
Product
SCM (P-CSCF, A-BG)
Privilege
Security Administrator, Administrator
Syntax
threshold-rate rate
default threshold-rate
rate
Default: 1
Specifies the rate per second that the system must receive bad requests to determine that it is under a DoS attack.
rate must be an integer from 1 to 1,000.
default
Sets /restores the default value assigned to the specified command.
Usage
Use this command to specify the threshold rate for bad requests. For example, if a malicious user sends bad requests at a rate of 5 per second and this parameter is set to 10, the system will not consider itself under a DoS attack.
Example
The following command sets the threshold rate to 5 bad requests per second:
threshold-rate 5
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883