- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Information About SIP ALG Resilience to DoS Attacks
- How to Configure SIP ALG Resilience to DoS Attacks
- Configuration Examples for SIP ALG Resilience to DoS Attacks
- Additional References for SIP ALG Resilience to DoS Attacks
- Feature Information for SIP ALG Resilience to DoS Attacks
SIP ALG Resilience to DoS Attacks
The SIP ALG Resilience to DoS Attacks feature provides protection against Session Initiation Protocol (SIP) application layer gateway (ALG) denial of service (DoS) attacks. This feature supports a configurable lock limit, a dynamic blacklist, and configurable timers to prevent DoS attacks.
This module explains the feature and how to configure DoS prevention for the SIP application layer gateway (ALG). Network Address Translation and zone-based policy firewalls support this feature.
- Finding Feature Information
- Information About SIP ALG Resilience to DoS Attacks
- How to Configure SIP ALG Resilience to DoS Attacks
- Configuration Examples for SIP ALG Resilience to DoS Attacks
- Additional References for SIP ALG Resilience to DoS Attacks
- Feature Information for SIP ALG Resilience to DoS Attacks
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About SIP ALG Resilience to DoS Attacks
SIP ALG Resilience to DoS Attacks Overview
The SIP ALG Resilience to DoS Attacks feature provides protection against denial of service (DoS) attacks to the Session Initiation Protocol (SIP) application layer gateway (ALG). This feature supports a configurable lock limit, a dynamic blacklist, and configurable timers to prevent DoS attacks. This feature is supported by Network Address Translation (NAT) and zone-based policy firewalls.
SIP is an application-level signaling protocol for setting up, modifying, and terminating real-time sessions between participants over an IP data network. These sessions could include Internet telephone calls, multimedia distribution, and multimedia conferences. SIP DoS attacks are a major threat to networks.
- SIP register flooding: A registration flood occurs when many VoIP devices try to simultaneously register to a network. If the volume of registration messages exceeds the device capability, some messages are lost. These devices then attempt to register again, adding more congestion. Because of the network congestion, users may be unable to access the network for some time.
- SIP INVITE flooding: An INVITE flood occurs when many INVITE messages are sent to servers that cannot support all these messages. If the attack rate is very high, the memory of the server is exhausted.
- SIP broken authentication and session attack: This attack occurs when an attacker presumes the identity of a valid user, using digest authentication. When the authentication server tries to verify the identity of the attacker, the verification is ignored and the attacker starts a new request with another session identity. These attacks consume the memory of the server.
SIP ALG Dynamic Blacklist
One of the common methods of denial of service (DoS) attacks involves saturating the target network with external communication requests making the network unable to respond to legitimate traffic. To solve this issue, the SIP ALG Resilience to DoS Attacks feature uses configurable blacklists. A blacklist is a list of entities that are denied a particular privilege, service, or access. Dynamic blacklists are disabled by default. When requests to a destination address exceed a predefined trigger criteria in the configured blacklist, the Session Initiation Protocol (SIP) application layer gateway (ALG) will drop these packets.
- In the configured period of time if a source sends multiple requests to a destination and receives non-2xx (as per RFC 3261, any response with a status code between 200 and 299 is a "2xx response") final responses from the destination.
- In the configured period of time if a source sends multiple requests to a destination and does not receive any response from the destination.
SIP ALG Lock Limit
Both Network Address Translation (NAT) and the firewall use the Session Initiation Protocol (SIP) application layer gateway (ALG) to parse SIP messages and create sessions through tokens. To maintain session states, the SIP ALG uses a per call data structure and Layer 7 data to store call-related information that is allocated when a session is initiated and freed when a session is released. If the SIP ALG does not receive a message that indicates that the call has ended, network resources are held for the call.
Because Layer 7 data is shared between threads, a lock is required to access the data. During denial of service (DoS) and distributed DoS attacks, many threads wait to get the same lock, resulting in heavy CPU usage, which makes the system unstable. To prevent the system from becoming unstable, a limit is added to restrict the number of threads that can wait for a lock. SIP sessions are established by request/response mode. When there are too many concurrent SIP messages for one SIP call, packets that exceed the lock limit are dropped.
SIP ALG Timers
To exhaust resources on Session Initiation Protocol (SIP) servers, some denial of service (DoS) attacks do not indicate the end of SIP calls. To prevent these types of DoS attacks, a protection timer is added.
When the configured maximum time is reached, the SIP application layer gateway (ALG) releases resources for this call, and future messages related to this call may not be properly parsed by the SIP ALG.
How to Configure SIP ALG Resilience to DoS Attacks
Configuring SIP ALG Resilience to DoS Attacks
You can configure the prevention of denial of service (DoS) parameters for the Session Initiation Protocol (SIP) application layer gateway (ALG) that is used by Network Address Translation (NAT) and the zone-based policy firewall.
1.
enable
2.
configure
terminal
3.
alg
sip
processor
session
max-backlog
concurrent-processor-usage
4.
alg
sip
processor
global
max-backlog
concurrent-processor-usage
5.
alg
sip
blacklist
trigger-period
trigger-period
trigger-size
minimum-events
destination
ip-address
6.
alg
sip
blacklist
trigger-period
trigger-period
trigger-size
minimum-events
block-time
block-time [destination
ip-address]
7.
alg
sip
timer
call-proceeding-timeout
time
8.
alg
sip
timer
max-call-duration
seconds
9.
end
DETAILED STEPS
Verifying SIP ALG Resilience to DoS Attacks
Use the following commands to troubleshoot the feature.
1.
enable
2.
show
alg
sip
3.
show
platform
hardware
qfp
{active |
standby}
feature
alg
statistics
sip
4.
show
platform
hardware
qfp
{active |
standby}
feature
alg
statistics
sip
dbl
5.
show
platform
hardware
qfp
{active |
standby}
feature
alg
statistics
sip
dblcfg
6.
show
platform
hardware
qfp
{active |
standby}
feature
alg
statistics
sip
processor
7.
show
platform
hardware
qfp
{active |
standby}
feature
alg
statistics
sip
timer
8.
debug
alg
{all |
info |
trace |
warn}
DETAILED STEPS
Configuration Examples for SIP ALG Resilience to DoS Attacks
Example: Configuring SIP ALG Resilience to DoS Attacks
Device# configure terminal Device(config)# alg sip processor session max-backlog 5 Device(config)# alg sip processor global max-backlog 5 Device(config)# alg sip blacklist trigger-period 90 trigger-size 30 destination 10.1.1.1 Device(config)# alg sip blacklist trigger-period 90 trigger-size 30 block-time 30 Device(config)# alg sip timer call-proceeding-timeout 35 Device(config)# alg sip timer max-call-duration 90 Device(config)# end
Additional References for SIP ALG Resilience to DoS Attacks
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Firewall commands |
|
NAT commands |
Standards and RFCs
Standard/RFC | Title |
---|---|
RFC 4028 |
Session Timers in the Session Initiation Protocol (SIP) |
MIBs
MIB | MIBs Link |
---|---|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for SIP ALG Resilience to DoS Attacks
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
SIP ALG Resilience to DoS Attacks |
Cisco IOS XE Release 3.11S |
The SIP ALG Resilience to DoS Attacks feature provides protection against Session Initiation Protocol (SIP) denial of service (DoS) attacks. This feature supports a configurable lock limit, a dynamic blacklist, and configurable timers to prevent DoS attacks. Network Address Translation (NAT) and zone-based policy firewalls support this feature. In Cisco IOS XE Release 3.11S, the SIP ALG Resilience to DoS Attacks feature is implemented on Cisco ASR 1000 Series Aggregation Services Routers, Cisco Cloud Services Routers 1000V Series, and Cisco 4400 Series Integrated Services Routers. The following commands were introduced or modified: alg sip processor, alg sip blacklist, alg sip timer, show alg sip, debug alg, debug platform software alg configuration all, set platform software trace forwarding-manager alg, and show platform hardware qfp feature alg statistics sip. |