Applies To:

Show Versions Show Versions

Manual Chapter: Detecting SIP DoS Attacks
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About configuring the BIG-IP system to detect SIP DoS attacks

Session Initiation Protocol (SIP) is a signaling protocol that is typically used to control communication sessions such as voice and video calls over IP. On the BIG-IP system, SIP attack detection detects and automatically drops SIP packets that are malformed or contain errors. In addition, you can use a SIP denial-of-service (DoS) profile to log unusual increases in SIP request packets, including packets that are malformed, packets that contain errors, or packets of any other type that appear to rapidly increase.

You can use the SIP DoS Protection profile to configure the percentage increase over the system baseline that indicates a possible attack is in progress on a particular SIP request type, or an increase in anomalous packets. Later, you can use reporting or logging functions to detect such packets. This is a reporting and tracking function only.

Detecting SIP denial-of-service attacks with a DoS profile

In this task, you create the DoS Protection profile and configure SIP settings at the same time. However, you can configure SIP attack detection settings in a DoS profile that already exists.
The BIG-IP system handles SIP attacks that use malformed packets, protocol errors, and malicious attack vectors. Protocol error attack detection settings detect malformed and malicious packets, or packets that are employed to flood the system with several different types of responses. You can configure settings to identify SIP attacks with a DoS profile.
  1. On the Main tab, click Security > DoS Protection. The DoS Profiles list screen opens.
  2. Click Create. The Create New DoS Profile screen opens.
  3. In the Profile Name field, type the name for the profile.
  4. To configure SIP security settings, next to Protocol Security (SIP), select Enabled.
  5. To enable attack detection based on the rate of protocol errors, next to Protocol Errors Attack Detection, select Enabled.
  6. In the Rate threshold field, type the rate of packets with errors per second to detect as anomalous. This threshold sets an absolute limit above which an attack is registered. In addition, you can set individual thresholds for specific request types.
  7. In the Rate Increased by % field, type the rate of change in protocol errors to detect as anomalous. The rate of detection compares the average rate over the last minute to the average rate over the last hour. For example, the 500% base rate would indicate an attack if the average rate for the previous hour was 100000 packets/second, and over the last minute the rate increased to 500000 packets/second.
  8. To change the threshold or rate increase for a particular SIP request type, in the SIP Method Attack Detection area, select the Enabled check box for each request type that you want to change, then change the values for Threshold and Rate Increase in the associated fields. For example, to change the threshold for NOTIFY requests, select the Enabled check box next to notify, then set the threshold for packets per second and the rate increase percentage to be considered an attack. The Rate Increase compares the average rate over the last minute to the average rate over the last hour. For example, the 500% base rate would indicate an attack if the average rate for the previous hour was 100000 packets/second, and over the last minute the rate increased to 500000 packets/second.
    Note: SIP request detection allows you to configure the thresholds at which the firewall registers an attack. However, no packets are dropped if an attack is detected.
  9. Click Update to save your changes.
You have now configured a DoS Protection profile to provide custom responses to malformed SIP attacks, and SIP flood attacks, and to allow such attacks to be identified in system logs and reports.
Associate the DoS Protection profile with a virtual server to apply the settings in the profile to traffic on that virtual server. When a SIP attack on a specific query type is detected, you can be alerted with various system monitors.

Associating a DoS profile with a virtual server

You must first create a DoS profile separately, to configure denial-of-service protection for applications, the DNS protocol, or the SIP protocol.
You add denial-of-service protection to a virtual server to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP system.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  4. From the Security menu, choose Policies.
  5. To enable denial-of-service protection, from the DoS Protection Profile list, select Enabled, and then, from the Profile list, select the DoS profile to associate with the virtual server.
  6. Click Update to save the changes.
DoS protection is now enabled, and the DoS Protection profile is associated with the virtual server.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)