In this task, you create the DoS Protection profile and configure SIP settings at
the same time. However, you can configure SIP attack detection settings in a DoS profile
that already exists.
The BIG-IP® system handles SIP attacks that use malformed
packets, protocol errors, and malicious attack vectors. Protocol error attack detection
settings detect malformed and malicious packets, or packets that are employed to flood
the system with several different types of responses. You can configure settings to
identify SIP attacks with a DoS profile.
-
On the Main tab, click .
The DoS Profiles list screen opens.
-
Click Create.
The Create New DoS Profile screen opens.
-
In the Profile Name field, type the name for the
profile.
-
To configure SIP security settings, next to Protocol Security
(SIP), select Enabled.
-
To enable attack detection based on the rate of protocol errors, next to
Protocol Errors Attack Detection, select
Enabled.
-
In the Rate threshold field, type the rate of packets
with errors per second to detect as anomalous.
This threshold sets an absolute limit above which an attack is registered. In
addition, you can set individual thresholds for specific request types.
-
In the Rate Increased by % field, type the rate of
change in protocol errors to detect as anomalous.
The rate of detection compares the average rate over the last minute to the
average rate over the last hour. For example, the 500%
base rate would indicate an attack if the average rate for the previous hour was
100000 packets/second, and over the last minute
the rate increased to 500000
packets/second.
-
To change the threshold or rate increase for a particular SIP request type, in
the SIP Method Attack Detection settings, select the
Enabled check box for each request type that you want
to change, then change the values for Threshold and
Rate Increase in the associated fields.
For example, to change the threshold for NOTIFY requests, select the
Enabled check box next to
notify, then set the threshold for packets per second
and the rate increase percentage to be considered an attack.
The Rate Increase compares the average rate over the last minute to the
average rate over the last hour. For example, the 500%
base rate would indicate an attack if the average rate for the previous hour was
100000 packets/second, and over the last minute
the rate increased to 500000
packets/second.
Note: SIP request detection allows you to configure the thresholds
at which the firewall registers an attack. However, no packets are dropped
if an attack is detected.
-
Click Update to save your changes.
You have now configured a DoS Protection profile to provide custom responses to
malformed SIP attacks, and SIP flood attacks, and to allow such attacks to be identified
in system logs and reports.
Associate the DoS Protection profile with a virtual server to apply the settings in
the profile to traffic on that virtual server. When a SIP attack on a specific query
type is detected, you can be alerted with various system monitors.