This feature provides the capability to provide protection from SIP-based DOS (Denial of Service) attacks. This protection is in addition to the network-level protection against general DOS attacks.
A SIP-based DOS attack consists of a large volume of SIP messages from a hostile user.
The main defense against DOS attacks is provided by the network design. In addition, border gateway elements, SBCs (Session Border Controllers), and VoIP firewalls can be used to control the volume of VoIP traffic to protect against a SIP-based DOS attack.
A host-based IDS (Intrusion Detection System) monitors incoming traffic in parallel to the traffic being sent to normal application processing. When incoming traffic from an IP address exceeds the provisioned threshold, all traffic from that IP address is placed on a black list, and is temporarily blocked.
The black list operates as follows:
- A rule is created in the internal firewall that blocks all traffic from that IP address.
- After the block period expires, the rule for that IP address is automatically removed from the internal firewall.
The following administrable options permit the system administrator to customize the DoS defense mechanism thresholds and values:
Rate Threshold: This threshold is used for most traffic. This value is generally a low threshold for end-user traffic.
Trusted Hosts Exception List: This threshold is used for specific IP addresses that are exempt from rate monitoring. This exception list is generally used for servers that have higher volumes of traffic.
Block Period: This value specifies the duration the temporary firewall rule is in place to block traffic from a blacklisted IP address.
This feature also provides alarms when the system starts discarding messages due to DOS message filtering.
Parent topic: Security topics