Session Initiation Protocol (SIP) is a signaling protocol that is typically used
to control communication sessions, such as voice and video calls over IP.
SIP DoS attack detection and prevention serves several functions:
- To detect and report on SIP packets based on
behavior characteristics of the sender or characteristics of the packets, without enforcing any
rate limits.
- To detect, report on, and rate limit SIP
packets based on behavior characteristics that signify specific known attack vectors.
- To identify Bad Actor IP addresses from which
attacks appear to originate, by detecting packets per second from a source, and to apply rate
limits to such IP addresses.
- To blacklist Bad Actor IP addresses, with
configurable detection times, blacklist durations, and blacklist categories, and allow such IP
addresses to be advertised to edge routers to offload blacklisting.
You can use the SIP DoS Protection profile to configure the percentage increase over the system
baseline, which indicates that a possible attack is in process on a particular SIP method, or an
increase in anomalous packets. You can also rate limit packets of known vectors. You can
configure settings manually, and for many vectors you can allow AFM to manage thresholds
automatically.
You can specify an address list as a whitelist, that the DoS checks allow. Whitelisted
addresses are passed by the DoS profile, without being subject to the checks in the DoS
profile.
Per-virtual server DoS protection requires that your virtual server includes a DoS profile that
includes SIP security.
Important: To use SIP DoS protection,
you must create a SIP profile, and attach it to the virtual server to which the SIP DoS feature
is applied.
Task list
Detecting and protecting against a virtual
server against SIP DoS attacks with a DoS profile
This task helps you create the DoS
profile and configure SIP settings at the same time. However, you can configure SIP
attack detection settings in a DoS profile that already exists. The BIG-IP® system handles SIP attacks that use malformed packets, protocol errors,
and malicious attack vectors. Protocol error attack detection settings detect malformed
and malicious packets, or packets that are employed to flood the system with several
different types of responses. You can configure settings to identify SIP attacks with a
DoS profile.
-
On the Main tab, click .
The DoS Profiles list screen opens.
-
Click Create.
The New DoS Profile screen opens.
-
In the Name field, type the name for the profile.
-
Select the Threshold Sensitivity.
Select Low, Medium, or
High. A lower setting means the automatic threshold
algorithm is less sensitive to changes in traffic and CPU usage, but will also
trigger fewer false positives.
-
In the Default Whitelist field, begin typing the name of
the address list to use as the whitelist, and select the address list when the
name appears.
-
To configure SIP security settings, click Protocol
Security, and choose SIP Security.
-
To change the threshold or rate increase for a particular SIP vector, in the
Attack Type column, click the vector name.
-
Next to the DoS vector name, choose the enforcement option.
- Select
Enforce to enforce the DoS vector with the
settings you configure or with automatic settings.
- Select Don't
Enforce to configure the vector and log the results of the
vector you configure or the automatic settings, without applying rate limits
or other actions.
- Select
Disable to disable logging and enforcement of the
DoS vector.
-
To allow the DoS vector thresholds to be automatically adjusted, select
Auto-Threshold Configuration.
-
If you use the Auto-Threshold Configuration, in the
Attack Floor PPS field, specify the number of packets
per second of the vector type to allow at a minimum, before automatically
calculated thresholds are determined.
Because automatic thresholds take time to be reliably established, this
setting defines the minimum packets allowed before automatic thresholds are
calculated.
-
If you use the Auto-Threshold Configuration, in the Attack Ceiling
PPS field, specify the absolute maximum allowable for packets of
this type before automatically calculated thresholds are determined.
Because automatic thresholds take time to be reliably established, this
setting rate limits packets to the packets per second setting, when specified.
To set no hard limit, set this to Infinite.
-
From the Detection Threshold PPS list, select
Specify or Infinite.
- Use
Specify to set a value (in packets per second)
for the attack detection threshold. If packets of the specified types cross
the threshold, an attack is logged and reported. The system continues to
check every second, and registers an attack for the duration that the
threshold is exceeded.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not logged or reported based on this
threshold.
-
From the Detection Threshold Percent list, select
Specify or Infinite.
- Use
Specify to set a value (in percentage of traffic)
for the attack detection threshold. If packets of the specified types cross
the percentage threshold, an attack is logged and reported. The system
continues to check every second, and registers an attack for the duration
that the threshold is exceeded.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not logged or reported based on this
threshold.
-
From the Rate Limit Threshold PPS list, select
Specify or Infinite.
- Use
Specify to set a value (in packets per second),
which cannot be exceeded by packets of this type. All packets of this type
over the threshold are dropped. Rate limiting continues until the rate no
longer exceeds.
- Use
Infinite to set no value for the threshold. This
specifies that this type of attack is not rate-limited.
-
Select Simulate Auto Threshold to log the results of the
current automatic thresholds, when enforcing manual thresholds.
-
In the Per Source IP Detection (PPS) field, specify the
number of packets of this type per second from one IP address that identifies
the IP source as a bad actor, for purposes of attack detection and logging.
-
In the Per Source IP Rate Limit (PPS) field, specify the
number of packets of this type per second from one IP address, above which rate
limiting or leak limiting occurs.
-
Select the Blacklist Address check box to enable
automatic blacklisting.
-
From the Blacklist Category list, select a black list
category to apply to automatically blacklisted addresses.
-
In the Detection Time field, specify the duration in
seconds after which the attacking endpoint is blacklisted. By default, the
configuration adds an IP address to the blacklist after one minute (60 seconds).
Enabled.
-
In the Duration field, specify the amount of time in
seconds that the address will remain on the blacklist. The default is
14400 (4 hours).
-
To allow IP source blacklist entries to be advertised to edge routers so they
will null route their traffic, select Allow
Advertisement.
Note: To advertise to
edge routers, you must configure a Blacklist Publisher at for the blacklist category.
-
Click Update to save your changes. The changes to the
vector appear on the vector screen.
You have now configured a DoS
Protection profile to provide custom responses to malformed SIP attacks, and SIP flood
attacks, and to allow such attacks to be identified in system logs and reports.
Now you need to associate the DoS
Protection profile with a virtual server to apply the settings in the profile to traffic
on that virtual server. When a SIP attack on a specific query type is detected, you can
be alerted with various system monitors.
Associating a DoS profile with a virtual server
You must first create a DoS profile
separately, to configure denial-of-service protection for applications, the DNS protocol, or the
SIP protocol. For application-level DoS protection, the virtual server requires an HTTP profile
(such as the default http).
You add denial-of-service protection to a virtual server to provide enhanced protection
from DoS attacks, and track anomalous activity on the BIG-IP®
system.
-
On the Main tab, click .
The Virtual Server List screen opens.
-
Click the name of the virtual server you want to modify.
-
In the Destination Address field, type the IP address in
CIDR format.
The supported format is address/prefix, where the prefix length is in bits.
For example, an IPv4 address/prefix is 10.0.0.1 or
10.0.0.0/24, and an IPv6 address/prefix is
ffe1::0020/64 or
2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4
address without specifying a prefix, the BIG-IP® system
automatically uses a /32 prefix.
-
On the menu bar, from the Security menu, choose Policies.
-
To enable denial-of-service protection, from the DoS Protection
Profile list, select Enabled, and then,
from the Profile list, select the DoS profile to
associate with the virtual server.
-
Click Update to save the changes.
DoS protection is now enabled, and the DoS Protection profile is associated with the
virtual server.