Manual Chapter : Detecting and preventing SIP DoS Attacks on a Virtual Server

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.0.1, 13.0.0
Manual Chapter

About detecting and preventing SIP DoS attacks on a virtual server

Session Initiation Protocol (SIP) is a signaling protocol that is typically used to control communication sessions, such as voice and video calls over IP.

SIP DoS attack detection and prevention serves several functions:

  • To detect and report on SIP packets based on behavior characteristics of the sender or characteristics of the packets, without enforcing any rate limits.
  • To detect, report on, and rate limit SIP packets based on behavior characteristics that signify specific known attack vectors.
  • To identify Bad Actor IP addresses from which attacks appear to originate, by detecting packets per second from a source, and to apply rate limits to such IP addresses.
  • To blacklist Bad Actor IP addresses, with configurable detection times, blacklist durations, and blacklist categories, and allow such IP addresses to be advertised to edge routers to offload blacklisting.

You can use the SIP DoS Protection profile to configure the percentage increase over the system baseline, which indicates that a possible attack is in process on a particular SIP method, or an increase in anomalous packets. You can also rate limit packets of known vectors. You can configure settings manually, and for many vectors you can allow AFM to manage thresholds automatically.

You can specify an address list as a whitelist, that the DoS checks allow. Whitelisted addresses are passed by the DoS profile, without being subject to the checks in the DoS profile.

Per-virtual server DoS protection requires that your virtual server includes a DoS profile that includes SIP security.

Important: To use SIP DoS protection, you must create a SIP profile, and attach it to the virtual server to which the SIP DoS feature is applied.

Task list

Detecting and protecting against a virtual server against SIP DoS attacks with a DoS profile

This task helps you create the DoS profile and configure SIP settings at the same time. However, you can configure SIP attack detection settings in a DoS profile that already exists. The BIG-IP® system handles SIP attacks that use malformed packets, protocol errors, and malicious attack vectors. Protocol error attack detection settings detect malformed and malicious packets, or packets that are employed to flood the system with several different types of responses. You can configure settings to identify SIP attacks with a DoS profile.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click Create.
    The New DoS Profile screen opens.
  3. In the Name field, type the name for the profile.
  4. Select the Threshold Sensitivity.
    Select Low, Medium, or High. A lower setting means the automatic threshold algorithm is less sensitive to changes in traffic and CPU usage, but will also trigger fewer false positives.
  5. In the Default Whitelist field, begin typing the name of the address list to use as the whitelist, and select the address list when the name appears.
  6. To configure SIP security settings, click Protocol Security, and choose SIP Security.
  7. To change the threshold or rate increase for a particular SIP vector, in the Attack Type column, click the vector name.
  8. Next to the DoS vector name, choose the enforcement option.
    • Select Enforce to enforce the DoS vector with the settings you configure or with automatic settings.
    • Select Don't Enforce to configure the vector and log the results of the vector you configure or the automatic settings, without applying rate limits or other actions.
    • Select Disable to disable logging and enforcement of the DoS vector.
  9. To allow the DoS vector thresholds to be automatically adjusted, select Auto-Threshold Configuration.
  10. If you use the Auto-Threshold Configuration, in the Attack Floor PPS field, specify the number of packets per second of the vector type to allow at a minimum, before automatically calculated thresholds are determined.

    Because automatic thresholds take time to be reliably established, this setting defines the minimum packets allowed before automatic thresholds are calculated.

  11. If you use the Auto-Threshold Configuration, in the Attack Ceiling PPS field, specify the absolute maximum allowable for packets of this type before automatically calculated thresholds are determined.
    Because automatic thresholds take time to be reliably established, this setting rate limits packets to the packets per second setting, when specified. To set no hard limit, set this to Infinite.
  12. From the Detection Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second) for the attack detection threshold. If packets of the specified types cross the threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  13. From the Detection Threshold Percent list, select Specify or Infinite.
    • Use Specify to set a value (in percentage of traffic) for the attack detection threshold. If packets of the specified types cross the percentage threshold, an attack is logged and reported. The system continues to check every second, and registers an attack for the duration that the threshold is exceeded.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not logged or reported based on this threshold.
  14. From the Rate Limit Threshold PPS list, select Specify or Infinite.
    • Use Specify to set a value (in packets per second), which cannot be exceeded by packets of this type. All packets of this type over the threshold are dropped. Rate limiting continues until the rate no longer exceeds.
    • Use Infinite to set no value for the threshold. This specifies that this type of attack is not rate-limited.
  15. Select Simulate Auto Threshold to log the results of the current automatic thresholds, when enforcing manual thresholds.
  16. In the Per Source IP Detection (PPS) field, specify the number of packets of this type per second from one IP address that identifies the IP source as a bad actor, for purposes of attack detection and logging.
  17. In the Per Source IP Rate Limit (PPS) field, specify the number of packets of this type per second from one IP address, above which rate limiting or leak limiting occurs.
  18. Select the Blacklist Address check box to enable automatic blacklisting.
  19. From the Blacklist Category list, select a black list category to apply to automatically blacklisted addresses.
  20. In the Detection Time field, specify the duration in seconds after which the attacking endpoint is blacklisted. By default, the configuration adds an IP address to the blacklist after one minute (60 seconds). Enabled.
  21. In the Duration field, specify the amount of time in seconds that the address will remain on the blacklist. The default is 14400 (4 hours).
  22. To allow IP source blacklist entries to be advertised to edge routers so they will null route their traffic, select Allow Advertisement.
    Note: To advertise to edge routers, you must configure a Blacklist Publisher at Security > Options > External Redirection > Blacklisting for the blacklist category.
  23. Click Update to save your changes. The changes to the vector appear on the vector screen.
You have now configured a DoS Protection profile to provide custom responses to malformed SIP attacks, and SIP flood attacks, and to allow such attacks to be identified in system logs and reports.
Now you need to associate the DoS Protection profile with a virtual server to apply the settings in the profile to traffic on that virtual server. When a SIP attack on a specific query type is detected, you can be alerted with various system monitors.

Creating a SIP profile for SIP DoS protection

  1. On the Main tab, click Local Traffic > Profiles > Services > SIP .
    The SIP profile list screen opens.
  2. Click Create.
    The New SIP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Next to Settings, select the Custom check box.
  5. Select the SIP Firewall check box.
    This setting enables the SIP profile to use SIP DoS features.
  6. Next to Log Settings, select the Custom check box.
  7. From the Log Publisher list, select a destination to which the BIG-IP system sends log entries.
    You can specify publishers for other DoS types in the same profile, for example, for DNS, Network, or Application DoS Protection.
  8. In the Log Settings area, from the Logging Profile list, select a custom Logging profile.
  9. Modify all other settings, as required.
  10. Click Update.
A SIP profile is now configured for SIP DoS firewall features.
Assign this SIP profile to a virtual server, along with a DoS profile that includes SIP security, to provide SIP protocol DoS protection on a virtual server.

Assigning a SIP profile to a virtual server

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the Configuration list, select Advanced.
  4. From the SIP Profile list, select the name of the SIP profile that you previously created.
  5. Click Update.
The virtual server now uses the SIP settings from the SIP profile.

Associating a DoS profile with a virtual server

You must first create a DoS profile separately, to configure denial-of-service protection for applications, the DNS protocol, or the SIP protocol. For application-level DoS protection, the virtual server requires an HTTP profile (such as the default http).
You add denial-of-service protection to a virtual server to provide enhanced protection from DoS attacks, and track anomalous activity on the BIG-IP® system.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
  4. On the menu bar, from the Security menu, choose Policies.
  5. To enable denial-of-service protection, from the DoS Protection Profile list, select Enabled, and then, from the Profile list, select the DoS profile to associate with the virtual server.
  6. Click Update to save the changes.
DoS protection is now enabled, and the DoS Protection profile is associated with the virtual server.

Allowing addresses to bypass DoS profile checks

You can specify whitelisted addresses that the DoS Profile does not subject to DoS checks. Whitelist entries are specified on a security address list, and can be configured directly on the DoS Profile screen.
  1. On the Main tab, click Security > DoS Protection > DoS Profiles .
    The DoS Profiles list screen opens.
  2. Click the profile name you configured to open the DoS Profile settings screen.
  3. In the Default Whitelist field, begin typing the name of the address list to use as the whitelist, and select the address list when the name appears.
  4. In the Whitelist Address List field, begin typing the name of the address list to use as the whitelist, and select the address list when the name appears.
  5. To define an address list to use as a whitelist, on the right side of the screen under Shared Objects, click the + under Address Lists.
    The Address List Properties pane opens at the bottom right of the screen.
  6. Type a Name for the address list.
  7. Optionally, type a Description for the address list.
  8. In the Contents field, type an address, and click Add.
    You can type an IP address, a geographic location, or the name of another address list. Begin typing, and select the object when the name appears.
  9. Click Update to update the address list.
    If this is a new address list, type and select the address list name in the Default Whitelist field.
  10. Click Update to update the DoS Profile.
You have now configured a whitelist to bypass DoS checks for a DoS profile.

Creating a custom SIP DoS Protection Logging profile

Create a custom Logging profile to log SIP DoS Protection events and send the log messages to a specific location.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The New Logging Profile screen opens.
  3. Select the DoS Protection check box.
  4. In the SIP DoS Protection area, from the Publisher list, select the publisher that the BIG-IP system uses to log SIP DoS events.
    You can specify publishers for other DoS types in the same profile, for example, for DNS or Application DoS Protection.
  5. Click Finished.
Assign this custom SIP DoS Protection Logging profile to a virtual server.

Configuring an LTM virtual server for DoS Protection event logging

Ensure that at least one Log Publisher exists on the BIG-IP® system.
Assign a custom DoS Protection Logging profile to a virtual server when you want the BIG-IP system to log DoS Protection events on the traffic the virtual server processes.
Note: This task applies only to LTM®-provisioned systems.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, click Security > Policies .
    The screen displays network firewall security settings.
  4. From the Log Profile list, select Enabled. Then, for the Profile setting, move the profiles that log specific events to specific locations from the Available list to the Selected list.
  5. Click Update to save the changes.