CSCF Security Configuration Mode Commands

The CSCF Security Configuration Mode is used to configure Denial of Service (DOS) prevention commands.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

auth-failure-weight

Sets a severity number for authorization failures used in calculating a value for determining when to suspend registration attempts.

IMPORTANT:

The system will ignore the configuration of this command unless the dos-prevention command has been enabled.

Platform:

ASR 5000

Product:

SCM (P-CSCF, A-BG)


Privilege:

Security Administrator, Administrator


Syntax 
auth-failure-weight weightdefault auth-failure-weight
default

Sets/restores the default value assigned to the specified command.

weight

Default: 1

Assigns a weight to an authorization failure. Defines the severity of a single authorization failure.

weight must be an integer from 1 to 5.


Usage:

Use this command to define the severity of an authorization failure. This parameter is used in calculating the current number of authorization failures to compare to the per-aor-failure-limit and the per-ip-failure-limit. Configuring this command with a lower number causes the system to suspend registration attempts with repeated authorization failures much sooner than when configured with a higher number.


Example:
The following command assigns a weight of 3 to an authorization failure:
auth-failure-weight 3
bad-request-weight

Sets a severity number for bad registration requests used in calculating a value for determining when to suspend registration attempts.

IMPORTANT:

The system will ignore the configuration of this command unless the dos-prevention command has been enabled.

Platform:

ASR 5000

Product:

SCM (P-CSCF, A-BG)


Privilege:

Security Administrator, Administrator


Syntax 
bad-request-weight weightdefault bad-request-weight
default

Sets/restores the default value assigned to the specified command.

weight

Default: 2

Assigns a weight to a bad registration request. Defines the severity of a single bad request.

weight must be an integer from 1 to 5.


Usage:

Use this command to define the severity of bad registration request. This parameter is used in calculating the current number of request failures to compare to the per-aor-failure-limit and the per-ip-failure-limit. Configuring this command with a lower number causes the system to suspend registration attempts with repeated request failures much sooner than when configured with a higher number.


Example:
The following command assigns a weight of 3 to a bad registration request:
bad-request-weight 3
dos-prevention

Enables the denial of service (DoS) attack prevention feature.

Platform:

ASR 5000

Product:

SCM (P-CSCF, A-BG)


Privilege:

Security Administrator, Administrator


Syntax 
[ default | no ] dos-prevention
[ default | no ]

Disables the DoS attack prevention feature.


Usage:

Use this command to enable the DoS attack prevention feature. The default value for this command is disabled. When this command is enabled, the commands in this mode are enabled with default values configured.

IMPORTANT:

This command must be enabled before configuring other commands in this mode.

end

Exits the current mode and returns to the Exec Mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax 
end

Usage:

Change the mode back to the Exec mode.

exit

Exits the current mode and returns to the previous mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax 
exit

Usage:

Return to the previous mode.

forking-contact-limit

Sets a limit on the number of contacts a user ID can register with the system.

IMPORTANT:

The system will ignore the configuration of this command unless the dos-prevention command has been enabled.

Platform:

ASR 5000

Product:

SCM (P-CSCF, A-BG)


Privilege:

Security Administrator, Administrator


Syntax 
forking-contact-limit limitdefault forking-contact-limit
default

Sets/restores the default value assigned to the specified command.

limit

Default: 0

Sets the maximum number of contacts a user ID can register with the system. 0 specifies that unlimited contacts can be registered per user ID.

limit must be an integer from 0 to 10.


Usage:

Use this command to limit the number of contacts a user ID can register with the system.


Example:
The following command limits all users to 2 registered contacts on the system:
forking-contact-limit
2
greylist-duration

Configures the amount of time an AoR or IP address remains on a “grey list” after having crossed the registration authorization limit or the bad registration request limit.

IMPORTANT:

The system will ignore the configuration of this command unless the dos-prevention command has been enabled.

Platform:

ASR 5000

Product:

SCM (P-CSCF, A-BG)


Privilege:

Security Administrator, Administrator


Syntax 
greylist-duration timedefault greylist-duration
default

Sets/restores the default value assigned to the specified command.

time

Default: 10

Defines the time, in minutes, that an AoR or IP address remains on a “grey list”.

time must be an integer from 5 to 1,440.


Usage:

Use this command to specify the amount of time AoRs or IP addresses remain on a “grey list” after having crossed the registration authorization limit or the bad registration request limit. Limits are described in the per-aor-failure-limit command and the per-ip-failure-limit command.


Example:
The following command sets the duration AoRs or IP addresses remain on a “grey list” to 30 minutes:
greylist-duration 30
per-aor-failure-limit

Sets a failure limit that, when exceeded, causes the suspension of registration attempts for the offending AoR.

IMPORTANT:

The system will ignore the configuration of this command unless the dos-prevention command has been enabled.

Platform:

ASR 5000

Product:

SCM (P-CSCF, A-BG)


Privilege:

Security Administrator, Administrator


Syntax 
per-aor-failure-limit limitdefault per-aor-failure-limit
default

Sets/restores the default value assigned to the specified command.

limit

Default: 200

Defines the threshold for registration failures based on a calculation using weighted multipliers defined in auth-failure-weight and bad-request-weight.

limit must be an integer from 5 to 10,000.


Usage:

Use this command to set a failure limit for registration attempts from an identified AoR. The following calculation determines when this threshold is reached for a specific AoR:

Current authorization failures ÷ auth-failure-weight = current failures per AoR

or

Total bad registration requests ÷ bad-request-weight = current failures per AoR

If auth-failure-weight = 2 and bad-request-weight = 1, and the per-aor-failure-limit = 100, then the tolerance for registration authentication failures = 50 per AoR and the tolerance for bad registration requests = 100 per AoR.

When an AoR reaches the failure limit, it is added to a “grey list” for a period of time as defined by the greylist-duration command.


Example:
The following command sets the AoR failure limit to 300:
per-aor-failure-limit
300
per-ip-failure-limit

Sets a failure limit that, when exceeded, causes the suspension of registration attempts for the offending IP address.

IMPORTANT:

The system will ignore the configuration of this command unless the dos-prevention command has been enabled.

Platform:

ASR 5000

Product:

SCM (P-CSCF, A-BG)


Privilege:

Security Administrator, Administrator


Syntax 
per-ip-failure-limit limitdefault per-ip-failure-limit
default

Sets/restores the default value assigned to the specified command.

limit

Default: 100

Defines the threshold for registration failures based on a calculation using weighted multipliers defined in auth-failure-weight and bad-request-weight.

limit must be an integer from 5 to 10,000.


Usage:

Use this command to set a failure limit for registration attempts from an identified IP address. The following calculation determines when this threshold is reached for any IP address:

Current authorization failures ÷ auth-failure-weight = current failures per AoR

or

Total bad registration requests ÷ bad-request-weight = current failures per AoR

If auth-failure-weight = 2 and bad-request-weight = 1, and the per-ip-failure-limit = 200, then the tolerance for registration authentication failures = 100 per each IP address and the tolerance for bad registration requests = 200 per each IP address.

When an IP address reaches the failure limit, it is added to a “grey list” for a period of time as defined by the greylist-duration command.


Example:
The following command sets the IP address registration failure limit to 200:
per-ip-failure-limit
200
threshold-rate

Configures the rate per second at which the system must receive authorization failures or bad registration requests before it considers the failures/requests a DoS attack.

IMPORTANT:

The system will ignore the configuration of this command unless the dos-prevention command has been enabled.

Platform:

ASR 5000

Product:

SCM (P-CSCF, A-BG)


Privilege:

Security Administrator, Administrator


Syntax 
threshold-rate ratedefault threshold-rate
default

Sets/restores the default value assigned to the specified command.

rate

Default: 1

Specifies the rate per second that the system must receive authorization failures or bad registration requests to determine that it is under a DoS attack.

rate must be an integer from 1 to 1,000.


Usage:

Use this command to specify the threshold rate for authorization failures or bad registration requests. For example, if a malicious user sends bad registration requests at a rate of 5 per second and this parameter is set to 10, the system will not consider itself under a DoS attack.


Example:
The following command sets the threshold rate to 5 authorization failures or bad registration requests per second:
threshold-rate 5