Session Initiation Protocol (SIP) is a
signaling protocol that is typically used to control communication sessions, such as voice and
video calls over IP.
SIP DoS attack detection and prevention serves several functions:
- To detect and report on
SIP packets based on behavior characteristics of the sender or characteristics of the packets,
without enforcing any rate limits.
- To detect, report on, and
rate limit SIP packets based on behavior characteristics that signify specific known attack
- To identify Bad Actor IP
addresses from which attacks appear to originate, by detecting packets per second from a source,
and to apply rate limits to such IP addresses.
- To blacklist Bad Actor IP
addresses, with configurable detection times, blacklist durations, and blacklist categories, and
allow such IP addresses to be advertised to edge routers to offload blacklisting.
You can use a SIP DoS protection profile to specify the percentage increase
over the system baseline, which indicates that a possible attack is in process on a particular
SIP method, or an increase in anomalous packets. You can also rate limit packets of known
vectors. For all SIP vectors except sip-malformed, the system can manage thresholds automatically
or manually. You can manually set thresholds for malformed SIP packets.
You can specify an address list as a whitelist, that the DoS checks allow.
Whitelisted addresses are not subject to the checks configured in the protection profile.
To guard a protected object from SIP DoS attacks, you need to associate the
protected object with a protection profile that includes SIP security.
Important: You must also create a SIP profile with SIP Firewall
enabled, and attach it to the protected object being protected from SIP DoS attacks.
preventing SIP DoS attacks with a protection profile
This task describes how to create a new DoS
protection profile and configure SIP settings to identify SIP attacks at the same time.
However, you can also add SIP attack detection settings to an existing protection
profile. The BIG-IP system handles SIP attacks that include malformed packets, protocol
errors, and malicious attack vectors. Protocol error attack detection recognizes
malformed and malicious packets, or packets that are employed to flood the system with
several different types of responses.
On the Main tab, click
The Protection Profiles list
The New Protection Profile
In the Name field, type the name for
For Threshold Sensitivity, select Low, Medium, or High.
Low means the automatic
threshold calculations are less sensitive to changes in traffic and CPU usage. A
lower setting causes the system to adjust the thresholds more slowly over time,
but will also trigger fewer false positives. If traffic rates are consistent
over time, set this to Medium or High because even a small variation in generally consistent
traffic could signal an attack. If traffic patterns vary, set this to Low to get fewer false
If you have created a whitelist on the system,
from the Default
Whitelist list, select the list.
You can also click Manage Address Lists to jump to the
Address Lists screen where you can create or edit address lists.
To configure SIP security settings, for
Families, select SIP.
At the bottom of the screen, click SIP.
The screen displays the SIP attack
To change the threshold or rate increase for a
particular SIP vector, in the Attack Type column, click the vector name.
The vector Properties pane
opens on the right.
In the Properties pane, from the State list, choose the
appropriate enforcement option.
- Select Mitigate to enforce the
configured DoS vector by examining packets, logging the results of the
vector, learning patterns, alerting to trouble, and mitigating the attack
(watch, learn, alert, and mitigate).
- Select Detect Only to configure
the vector, log the results of the vector without applying rate limits or
other actions, and alerting to trouble (watch, learn, and alert).
- Select Learn Only to configure
the vector, log the results of the vector, without applying rate limits or
other actions (watch and learn).
- Select Disabled to disable
logging and enforcement of the DoS vector (no stat collection, no
For Threshold Mode, select whether to have the system determine
thresholds for the vector (Fully
Automatic), have partially automatic settings (Manual Detection /Auto
Mitigation), or, you can control the settings (Fully Manual).
The settings differ depending on the
option you select. Here, we describe the settings for automatic threshold
configuration. If you want to set thresholds manually, select one of the manual
options and refer to online Help for details on the settings.
To allow the DoS vector thresholds to be
automatically adjusted, for Threshold Mode, select Fully Automatic (available
only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).
Note: Automatic thresholding is not available for every DoS
vector. In particular, for error packets that are broken by their nature,
such as those listed under Bad Headers, you must configure them manually.
In the Attack Floor EPS
field, type the number of events per second of the vector type to allow
at a minimum, before automatically calculated thresholds are
Because automatic thresholds take
time to be reliably established, this setting defines the minimum
packets allowed before automatic thresholds are calculated.
In the Attack Ceiling EPS
field, specify the absolute maximum allowable for packets of this type
before automatically calculated thresholds are determined.
Because automatic thresholds take
time to be reliably established, this setting rate limits packets to the
events per second setting, when specified. To set no hard limit, set
this to Infinite.
Unless set to
infinite, if the maximum number of packets exceeds the ceiling value,
the system considers it to be an attack.
To detect IP address sources from which possible
attacks originate, enable Bad
Note: Bad Actor Detection is not available for every
To automatically blacklist bad actor IP addresses,
select Add Source Address to
Important: For this to work, you need to assign an IP
Intelligence policy to the appropriate context (device, virtual server, or
route domain). For the device, assign a global policy: . For the virtual server or route domain, assign the IP
Intelligence policy on the Security tab.
From the Category Name list, select
the blacklist category to which to add blacklist entries generated by Bad Actor Detection.
In the Sustained Attack Detection
Time field, specify the duration in seconds after which the
attacking endpoint is blacklisted. By default, the configuration adds an IP
address to the blacklist after one minute (60 seconds).
In the Category Duration Time field,
specify the length of time in seconds that the address will remain on the
blacklist. The default is 14400 seconds (4 hours).
To allow IP source blacklist entries to be
advertised to edge routers so they will null route their traffic, select
Note: To advertise to edge routers, you must configure a
Blacklist Publisher and Publisher Profile at .
To set the mitigation state for one or more attack
types, select the check box next to the vector name or names, and from the
Set State list at
the bottom of the screen, select Mitigate, Detect
Only, or Disable.
The state you click is set
for all selected vectors.
If desired, you can configure thresholds for
multiple DDoS vectors at once.
Select the check boxes next to the vector
At the bottom of the screen, click
Mode, and choose the threshold setting.
Select Fully-automatic for
the system to set the thresholds for the vectors that use
Note: To work accurately, using fully-automatic
thresholds requires some amount of historical data on the system
gathered through observing normal traffic. Therefore, it is
recommended that you not enforce auto thresholds directly after
Choose Manual Detection/Auto
Mitigation to configure thresholds manually but have the
system automatically mitigate system stress.
Choose Manual to configure
You have now configured a protection profile to provide custom responses to malformed
SIP attacks, SIP flood attacks, and to allow such attacks to be identified in system
logs and reports.
Now you need to associate the protection profile
with a protected object to apply the settings in the profile to traffic on that
protected object. When a SIP attack on a specific query type is detected, you can be
alerted with various system monitors.
Associating a protection profile with a protected object
You must first create a DoS protection profile
separately, to configure denial-of-service protection for applications, the DNS protocol, or the
SIP protocol. For application-level DoS protection, the protected object requires an HTTP profile
(such as the default http).
You add denial-of-service protection to a protected
object to provide enhanced protection from DoS attacks, and track anomalous activity on the
On the Main tab, click
Click the name of the protected object to which you want to assign a protection
The Properties pane opens on the right.
In the Protection Settings area, from the Protection Profile list, select the name of the
protection profile to assign.
This associates the protection profile
with the protected object.
DoS protection is now enabled, and the DoS protection
profile is associated with the protected object.