Manual Chapter : Detecting and Preventing SIP DoS Attacks on a Protected Object

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.2, 14.1.0
Manual Chapter

Detecting and Preventing SIP DoS Attacks on a Protected Object

Overview: Detecting and preventing SIP DoS attacks on a protected object

Session Initiation Protocol (SIP) is a signaling protocol that is typically used to control communication sessions, such as voice and video calls over IP.

SIP DoS attack detection and prevention serves several functions:

  • To detect and report on SIP packets based on behavior characteristics of the sender or characteristics of the packets, without enforcing any rate limits.
  • To detect, report on, and rate limit SIP packets based on behavior characteristics that signify specific known attack vectors.
  • To identify Bad Actor IP addresses from which attacks appear to originate, by detecting packets per second from a source, and to apply rate limits to such IP addresses.
  • To blacklist Bad Actor IP addresses, with configurable detection times, blacklist durations, and blacklist categories, and allow such IP addresses to be advertised to edge routers to offload blacklisting.

You can use a SIP DoS protection profile to specify the percentage increase over the system baseline, which indicates that a possible attack is in process on a particular SIP method, or an increase in anomalous packets. You can also rate limit packets of known vectors. For all SIP vectors except sip-malformed, the system can manage thresholds automatically or manually. You can manually set thresholds for malformed SIP packets.

You can specify an address list as a whitelist, that the DoS checks allow. Whitelisted addresses are not subject to the checks configured in the protection profile.

To guard a protected object from SIP DoS attacks, you need to associate the protected object with a protection profile that includes SIP security.

Important: You must also create a SIP profile with SIP Firewall enabled, and attach it to the protected object being protected from SIP DoS attacks.

Task list

Detecting and preventing SIP DoS attacks with a protection profile

This task describes how to create a new DoS protection profile and configure settings to identify and rate limit possible SIP DoS attacks.
  1. On the Main tab, click Security > DoS Protection > Protection Profiles .
    The Protection Profiles list screen opens.
  2. Click Create.
    The New Protection Profile screen opens.
  3. In the Name field, type the name for the profile.
  4. For Threshold Sensitivity, select Low, Medium, or High.
    Low means the automatic threshold calculations are less sensitive to changes in traffic and CPU usage. A lower setting causes the system to adjust the thresholds more slowly over time, but will also trigger fewer false positives. If traffic rates are consistent over time, set this to Medium or High because even a small variation in generally consistent traffic could signal an attack. If traffic patterns vary, set this to Low to get fewer false positives.
  5. If you have created a whitelist on the system, from the Default Whitelist list, select the list.
    You can also click Manage Address Lists to jump to the Address Lists screen where you can create or edit address lists.
  6. To configure SIP security settings, for Families, select SIP.
  7. At the bottom of the screen, click SIP.
    The screen displays the SIP attack vectors.
  8. To change the threshold or rate increase for a particular SIP vector, in the Attack Type column, click the vector name.
    The vector Properties pane opens on the right.
  9. In the Properties pane, from the State list, choose the appropriate enforcement option.
    • Select Mitigate to enforce the configured DoS vector by examining packets, logging the results of the vector, learning patterns, alerting to trouble, and mitigating the attack (watch, learn, alert, and mitigate).
    • Select Detect Only to configure the vector, log the results of the vector without applying rate limits or other actions, and alerting to trouble (watch, learn, and alert).
    • Select Learn Only to configure the vector, log the results of the vector, without applying rate limits or other actions (watch and learn).
    • Select Disabled to disable logging and enforcement of the DoS vector (no stat collection, no mitigation).
  10. For Threshold Mode, select whether to have the system determine thresholds for the vector (Fully Automatic), have partially automatic settings (Manual Detection /Auto Mitigation), or, you can control the settings (Fully Manual).
    The settings differ depending on the option you select. Here, we describe the settings for automatic threshold configuration. If you want to set thresholds manually, select one of the manual options and refer to online Help for details on the settings.
  11. To allow the DoS vector thresholds to be automatically adjusted, for Threshold Mode, select Fully Automatic (available only for DNS, Flood, SIP, some Fragmentation, and a few other vectors).
    Note: Automatic thresholding is not available for every DoS vector. In particular, for error packets that are broken by their nature, such as those listed under Bad Headers, you must configure them manually.
    1. In the Attack Floor EPS field, type the number of events per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.
    2. In the Attack Ceiling EPS field, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.
      Because automatic thresholds take time to be reliably established, this setting rate limits packets to the events per second setting, when specified. To set no hard limit, set this to Infinite.
      Unless set to infinite, if the maximum number of packets exceeds the ceiling value, the system considers it to be an attack.
  12. To detect IP address sources from which possible attacks originate, enable Bad Actor Detection.
    Note: Bad Actor Detection is not available for every vector.
  13. To automatically blacklist bad actor IP addresses, select Add Source Address to Category.
    Important: For this to work, you need to assign an IP Intelligence policy to the appropriate context (device, virtual server, or route domain). For the device, assign a global policy: Security > Network Firewall > IP Intelligence > Policies . For the virtual server or route domain, assign the IP Intelligence policy on the Security tab.
  14. From the Category Name list, select the blacklist category to which to add blacklist entries generated by Bad Actor Detection.
  15. In the Sustained Attack Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds).
  16. In the Category Duration Time field, specify the length of time in seconds that the address will remain on the blacklist. The default is 14400 seconds (4 hours).
  17. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow External Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher and Publisher Profile at Security > Options > External Redirection > Blacklist Publisher .
  18. To set the mitigation state for one or more attack types, select the check box next to the vector name or names, and from the Set State list at the bottom of the screen, select Mitigate, Detect Only, or Disable.
    The state you click is set for all selected vectors.
  19. If desired, you can configure thresholds for multiple DDoS vectors at once.
    1. Select the check boxes next to the vector names.
    2. At the bottom of the screen, click Set Threshold Mode, and choose the threshold setting.
      Select Fully-automatic for the system to set the thresholds for the vectors that use auto-thresholding.
      Note: To work accurately, using fully-automatic thresholds requires some amount of historical data on the system gathered through observing normal traffic. Therefore, it is recommended that you not enforce auto thresholds directly after installation.
      Choose Manual Detection/Auto Mitigation to configure thresholds manually but have the system automatically mitigate system stress.
      Choose Manual to configure thresholds manually.
You have now configured a protection profile to provide custom responses to malformed SIP attacks, SIP flood attacks, and to allow such attacks to be identified in system logs and reports.
Now you need to associate the protection profile with a protected object to apply the settings in the profile to traffic on that protected object.

Associating a protection profile with a protected object

You must add the DoS protection profile to the protected object to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP system.
  1. On the Main tab, click Security > DoS Protection > Protected Objects .
  2. Click the name of the protected object (virtual server) to which you want to assign a protection profile.
    The Properties pane opens on the right.
  3. In the Protection Settings area, from the Protection Profile list, select the name of the protection profile to assign.
    Note: Ensure a Service Profile is selected to enable the protected object to process application traffic.
  4. Click Save.
The DoS protection profile is associated with the protected object and DoS protection is now enabled.

Allowing addresses to bypass protection profile checks

You can specify whitelisted addresses that the protection profile does not subject to DoS checks. Whitelist entries are specified on a security address list that you can create.
  1. On the Main tab, click Security > DoS Protection > Protection Profiles .
    The Protection Profiles list screen opens.
  2. Click the name of the protection profile you want to modify.
  3. If you have created a whitelist on the system, from the Default Whitelist list, select the list.
    You can also click Manage Address Lists to jump to the Address Lists screen where you can create or edit address lists.

Creating a custom SIP DoS protection logging profile

Create a custom logging profile to log SIP DoS Protection events and send the log messages to a specific location.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The Create New Logging Profile screen opens.
  3. In the Logging Profile Properties, select the DoS Protection check box.
    The DoS Protection tab opens.
  4. In the SIP DoS Protection area, from the Publisher list, select the publisher that the BIG-IP system uses to log SIP DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for DNS or Application DoS Protection.
  5. Click Create.
Assign this SIP DoS Protection logging profile to a protected object.

Logging DoS events for a protected object

Ensure that at least one log publisher exists on the BIG-IP system.
Assign a custom logging profile to a protected object when you want the system to log DoS events for the traffic the protected object processes.
  1. On the Main tab, click Security > DoS Protection > Protected Objects .
  2. Click the name of the protected object for which you want to log DoS events.
    The Properties pane opens on the right.
  3. In the Network & General area, for Logging Profiles, move the logging profile to assign from the Available list into the Selected list.
    This assigns the logging profile to the protected object.
  4. Click Save.
The system logs DoS events for the protected object.
You can review DoS event logs at Security > Event Logs > DoS and select the type of DoS event log to view.