- Contents
- Prerequisites for DoS Prevention and Dynamic Blacklisting
- Restrictions for DoS Prevention and Dynamic Blacklisting
- Information About DoS Prevention and Dynamic Blacklisting
- Overriding Dynamic Blacklisting Default Thresholds
- Dynamic Blacklisting Behavior
- How to Configure Dynamic Blacklisting
- Examples of Configuring, Removing, and Displaying Dynamic Blacklisting
DoS Prevention and Dynamic Blacklisting
Denial of Service (DoS) prevention and dynamic blacklisting is used by Cisco Unified Border Element (SP Edition) to block malicious endpoints from attacking the network.
Cisco Unified Border Element (SP Edition) monitors signaling traffic and dynamically detects potential attacks without disrupting the rest of the services that it provides. The attacks can then be blocked internally or externally.
DoS attacks are generally performed on Internet services to deny these services to others. They are usually aimed at the provider of the service, and are either purely malicious vandalism or part of an attempt at extortion.
Blacklisting is the process of matching inbound packets based on parameters, such as source IP addresses, and preventing the packets that match those parameters from being processed.
Dynamic blacklists put in place automatically (subject to a set of configurable constraints) by Cisco Unified Border Element (SP Edition) when it detects an attempt to disrupt traffic flowing through it. Dynamic blacklisting does not require management interference. It can occur within milliseconds of the start of an attack and can change and adapt as the attack changes providing immediate network protection.
Cisco Unified Border Element (SP Edition) was formerly known as Integrated Session Border Controller and may be commonly referred to in this document as the session border controller (SBC).
For a complete description of the commands used in this chapter, refer to the Cisco Unified Border Element (SP Edition) Command Reference: Unified Model at:
http://www.cisco.com/en/US/docs/ios/sbc/command/reference/sbcu_book.html.
For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or a Cisco IOS master commands list.
Note For Cisco IOS XR Software Release, this feature is supported in the unified model only.
Feature History for DoS Prevention and Dynamic Blacklisting
Contents
This chapter contains the following sections:
- Prerequisites for DoS Prevention and Dynamic Blacklisting
- Restrictions for DoS Prevention and Dynamic Blacklisting
- Information About DoS Prevention and Dynamic Blacklisting
- Overriding Dynamic Blacklisting Default Thresholds
- Dynamic Blacklisting Behavior
- How to Configure Dynamic Blacklisting
- Examples of Configuring, Removing, and Displaying Dynamic Blacklisting
Prerequisites for DoS Prevention and Dynamic Blacklisting
Following are the prerequisites are required for dynamic blacklisting:
Restrictions for DoS Prevention and Dynamic Blacklisting
The following are restrictions for DoS prevention and dynamic blacklisting:
Information About DoS Prevention and Dynamic Blacklisting
Cisco Unified Border Element (SP Edition) monitors the following events as “reasons” for initiating DoS detection policies:
– authentication-failure—If Cisco Unified Border Element (SP Edition) is locally authenticating the UAs or peers, then any authentication failure will count as one event.
– bad-address—This event is generated when an unexpected source sends a packet that reaches Cisco Unified Border Element (SP Edition); the packet will be dropped.
– rtg-policy-rejection—This event is generated when traffic fails to find a match in the routing policy. In Cisco IOS XE Release 3.2S, the routing-failure event is renamed as rtg-policy-rejection.
– endpoint-registration— This event is generated when an endpoint is registering through Cisco Unified Border Element (SP Edition) and the registration is rejected.
– corrupt-message—This event is generated when a signalling message cannot be decoded by the application or contains a protocol exception/violation.
– cac-policy-rejection—This is a complex category because it monitors CAC policy failures, that is, a negative result from the CAC policy. This category includes rate, count, and bandwidth limits, and makes no distinction between them. In Cisco IOS XE Release 3.2S, the policy-rejection event is renamed as cac-policy-rejection.
– spam—Endpoints may send unwanted or spam calls (sometimes called Spam over Internet Telephony (SPIT)). Spam results from too many unexpected signaling messages. Examples of spam include receipt of a SIP response that does not match an earlier sent request, and receipt of excessive retransmissions of a SIP message.
– na-policy-rejection—This event is generated when there are repeated call rejections due to an invalid source number or destination number. This event is considered as a DoS attack.
There are two types of events that would cause blacklisting: low-level and high-level attacks.
An overwhelming volume of traffic sent at line rate to devices that perform a significant amount of processing per packet.
Attacks on any bottlenecks within the signaling plane or application layers.
Blacklist enablement is defined as 'When an 'E'vent (for example, authentication-failure) that is being monitored, occurs exceeding the 'N'umber of times configured (trigger-size <>) within the 'W'indow (trigger-period <>), then activate the dynamic access control list for a 'T'ime period (timeout <>).
Any given endpoint can have up to three blacklisted events being monitored at a given time on a per-port, per-address, and per-VPN basis. Within the address source type, there is the following order of precedence:
- Limits configured per specific IPv4 address
- Default limits of the parent VRF address space
- Default limits of the global address space (if different from the parent VRF)
- The hard-coded address limits.
The SBC packet filter (SPF) is a new component designed to defend against low-level attacks. The SPF resides with the Media Packet Forwarder (MPF) component on the network processing unit (NPU) and provides low-level DoS prevention for standalone data border element (DBE) and unified SBC deployment scenarios.
A new component is added to the signaling border element (SBE) to detect high-level attacks and create dynamic blacklists based on these attacks. The dynamic blacklist is configured using the command line interface (CLI). It receives events from other SBE components and generates alerts to start or stop the blacklisting of certain messages. Events that might form part of a high-level attack are detected by other SBE components and sent to the SBE Dynamic Blacklisting Component to collects statistics on their rate of occurrence.
Blacklist Alert Traps
From Cisco IOS Release XE 3.2S, the blacklist settings are configured to implement alert traps. Minor, major, and critical traps are set to be triggered at much lower thresholds values. Blacklist alert traps do not cause any loss of service and not only generate a log message when the threshold is exceeded, but also an SNMP trap, if configured. To enable SNMP SBC blacklist traps, use the snmp-server enable traps sbc blacklist command.
These traps can be monitored and modified to detect a DoS attack.
Overriding Dynamic Blacklisting Default Thresholds
Dynamic blacklisting is on by default. Default thresholds are set for Trigger Size, Trigger Period, and Blacklisting Period for each reason. A reason may be an Authentication Failure, Bad Address, Routing Failure, Endpoint Registration, Corrupt Message, Spam, Routing Policy Rejection, or Number Analysis Policy Rejection.
We highly recommend you configure blacklisting to override default thresholds for call setup and registration messages at the time the SBE is configured and before you start using Cisco Unified Border Element (SP Edition). Doing this will ensure that your planned call setup rate or registration message rate does not trigger spam blacklist that will impede traffic flow. It is important to configure the call setup or registration messages thresholds to be above the messages or registration messages per second rate for each SIP-based call in order for traffic to flow through properly. The default values for Trigger Size, Trigger Period, and Blacklisting Period are 40 events per second, or 4 events per 100 milliseconds. This means that traffic over 40 packets per second would trigger blacklisting.
For the following SIP-based call flow, this example describes how to calculate a suitable trigger size threshold for call setup messages per second:
There are 14 messages or packets for each SIP-based call. If you have a call setup rate of up to 20 calls per second (CPS), then 14 messages x 20 CPS = 280 messages per second. Therefore for a call setup rate of up to 20 CPS, you would configure a trigger size threshold of at least 280 messages per second.
In the following configuration example, you have raised the trigger size to 280 messages or packets per second:
Similar to calculating call set up messages per second, the following example describes how to calculate a suitable trigger size threshold for registration messages:
There is one message per registration per second for each SIP-based call. If you have 20 registrations per second, then 1 messages x 20 registrations = 20 messages per second. Therefore for a registration rate of up to 20 registrations per second, you would configure a trigger size threshold of at least 20 messages per second.
Although Dynamic Blacklisting is on by default, you can turn it off by setting the timeout for every reason to zero. However, note that when timeout is set to zero for any unit value, such as milliseconds or seconds, the unit value returned in a show run command displays as "day." You can use the show sbc sbe blacklist configured-limits command to display the default trigger-size, trigger-period and timeout and configured limits. See “Examples of Using the show Commands with Blacklisting” section for an example of this command.
Dynamic Blacklisting Behavior
The following is a description of dynamic blacklisting behavior:
- A global rate limit is applied to ensure that the overall load across all sources and destinations does not exceed the CPU capacity (the default limiter 8000 pps/1000 Mbps).
- The hard-coded initial settings for each event type on each IP address are configured by default to hold 4 events for 100 milliseconds. If the configured values are exceeded, the IP address is blacklisted for 10 minutes.
- If you have an explicitly configured limit for a single IP address or port, any trigger and blocking time values defined in that configuration will override the default. Table 12-1 displays where the parameters of the event limits at each scope for a given message can be configured. The limits are different if the message source is on a global address space or VPN.
- Media packets must match a valid entry in the flow table or they are dropped.
- Valid media packets must not exceed bandwidth limits established in call signaling. Non-conferment packets are dropped.
- Signaling packets are rate-limited by the source port in an attempt to halt forceful packet floods early (the default limiter is 1000 pps/100 mpbs).
- Signaling packets that are not destined to a valid local port are dropped.
- Signaling packets are rate-limited by destination port (the default limiter is 4000 pps/500 Mbps).
- Limits can be configured for specific events from the following source(s): a VPN ID, an IP address, or a port at a specific IP address.
- Default limits on event rates may be defined for all source IP addresses on a VPN, and for all ports on a given IP address. The default limits on each IP address are automatically set at the start of the day, but their parameters can be reconfigured. By default, no event limits are configured for ports.
Cisco Unified Border Element (SP Edition) monitors events per IP address by default. You can also configure Cisco Unified Border Element (SP Edition) to monitor an entire VPN or a particular port. If any limit in a VPN is then exceeded, the entire VPN is blacklisted. If a limit for a port is exceeded, the port and its IP address are blacklisted.
– Ports below 10,000 are signaling.
– Ports above 10,000 are media.
- When only a global address space blacklist is defined (no VRF specific blacklist), this will be used to blacklist addresses in all configured VRFs.
- VRF based blacklist limits will override any per source or address-default limits already set. You cannot use per IP address scope to override behavior in VRF space.
- Cisco Unified Border Element (SP Edition) generates an SNMP trap when a blacklist is activated.
How to Configure Dynamic Blacklisting
You can configure dynamic blacklisting as explained in the following sections:
Configuring Blacklist Parameters for an IP Address, Port, or VPN
To configure the event limits for a specific source, use the following commands.
Note You must configure blacklisting to override the default blacklisting thresholds when the SBE is configured, and before you start using Cisco Unified Border Element (SP Edition).
SUMMARY STEPS
9. critical-alert-size number-of-events
10. major-alert-size number-of-events
11. minor-alert-size number-of-events
14. show sbc service-name sbe blacklist configured-limits
15. show sbc service-name sbe blacklist source
16. show sbc service-name sbe blacklist current-blacklisting
DETAILED STEPS
Configuring an End to Blacklisting
Use the following command to remove the source from the blacklist:
Examples of Configuring, Removing, and Displaying Dynamic Blacklisting
This section provides a sample configuration and output for dynamic blacklisting, removing a source from being blacklisted, and also displaying configured limits.
Example of Configuring Dynamic Blacklisting
This blacklist is configured for global address space with one authentication failure from all possible address sources to be captured within a 100 milliseconds window. The ACL created (blacklist) should never timeout.
This blacklist is configured for global address space, five packets from unexpected source within a one minute window. The ACL is to time out in 24 hours.
Example of Removing a Source from the Blacklist
The following example shows the syntax for removing blacklist from Cisco Unified Border Element (SP Edition):
Example of Displaying All the Configured Limits
The following example shows the configured limits for various types of blacklisting:
Examples of Using the show Commands with Blacklisting
The following example shows the command required to list the limits that are currently in place for a specific source (in this example, VPN). This includes any defaults or explicitly configured limits. It also includes any defaults of a smaller scope that are configured at this address. Any values that are not explicitly configured are bracketed (these are the values that are inherited from other defaults).
The following example shows the command required to list the limits that are causing the source(s) to be blacklisted:
The following example shows the configured limits:
SBC Service "MySBC"
Note Watch out for the default configurations already in effect. Only the applied configurations are modified.
This example shows current blacklisting:
SBC Service "MySBC" SBE dynamic blacklist current members