- Cisco Unified Border Element Enterprise Protocol-Independent Features and Setup
- SIP-to-SIP Extended Feature Functionality for Session Border Controllers
- Bandwidth-Based Call Admission Control
- Interworking Between RSVP Capable and RSVP Incapable Networks
- Cisco Resource Reservation Protocol Agent
- SIP INFO Method for DTMF Tone Generation
- DTMF Events through SIP Signaling
- Call Progress Analysis Over IP-to-IP Media Session
- Codec Preference Lists
- AAC-LD MP4A-LATM Codec Support on Cisco UBE
- Multicast Music-on-Hold Support on Cisco UBE
- Network-Based Recording
- Video Recording - Additional Configurations
- TDoS Attack Mitigation
- Cisco Unified Communications Gateway Services--Extended Media Forking
- Dynamic Payload Type Interworking for DTMF and Codec Packets for SIP-to-SIP Calls
- iLBC Support for SIP and H.323
- DSP-Based Functionality on the Cisco UBE Enterprise Including Transcoding and Transrating
- Acoustic Shock Protection
- Noise Reduction
- SIP Ability to Send a SIP Registration Message on a Border Element
- SIP Profiles
- Session Refresh with Reinvites
- SIP Stack Portability
- VoIP for IPv6
- Interworking of Secure RTP calls for SIP and H.323
- Cisco UBE Support for SRTP-RTP Internetworking
- Support for SRTP Termination
- WebEx Telepresence Media Support Over Single SIP Session
- SIP SRTP Fallback to Nonsecure RTP
- Support for Software Media Termination Point
- Cisco Unified Communication Trusted Firewall Control
- Cisco Unified Communication Trusted Firewall Control-Version II
- Finding Feature Information
- Domain-Based Routing Support on the Cisco UBE
- URI-Based Dialing Enhancements
- Additional References
- Glossary
TDoS Attack Mitigation
The TDoS Attack Mitigation feature enables Cisco Unified Border Element (Cisco UBE) to not respond to Session Initiation Protocol (SIP) requests from IP addresses that are not listed in a trusted IP address list. Cisco UBE validates only out-of-dialog SIP requests against IP addresses in the trusted IP address list. It does not validate in-dialog SIP requests because such requests usually arrive from trusted entities. The TDoS Attack Mitigation feature is supported both on IPv4 and IPv6 networks.
- Finding Feature Information
- Information About TDoS Attack Mitigation
- How to Configure TDoS Attack Mitigation
- Verifying TDoS Attack Mitigation
- Configuration Examples for TDoS Attack Mitigation
- Feature Information for TDoS Attack Mitigation
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About TDoS Attack Mitigation
The TDoS Attack Mitigation feature prevents Cisco Unified Border Element (Cisco UBE) from responding to Session Initiation Protocol (SIP) requests arriving from untrusted IP addresses, which leads to an improvement in performance. The SIP stack authenticates the source IP address of an incoming SIP request and blocks the response if the source IP address does not match any IP address in the trusted IP address list. To create a trusted IP address list, you may configure a list of IP addresses or use the IP addresses that have been configured using the session target command in dial-peer configuration mode.
Cisco UBE does not respond to REGISTER requests and consumes REGISTER requests if you configure it only for Telephony Denial-of-Service (TDoS) Attack Mitigation and not as a registrar server.
If you configure Cisco UBE as a registrar server for TDoS attack mitigation, it consumes responses for REGISTER requests that do not belong to any application. Cisco UBE does not consume responses to REGISTER requests that belong to a registrar application.
Note | A SIP registrar is a server that accepts REGISTER requests and is typically collocated with a proxy or redirect server. |
Syslogs are printed on the device console every 60 minutes after Cisco UBE consumes a threshold value of 1000 SIP requests.
How to Configure TDoS Attack Mitigation
Configuring a Trusted IP Address List for Toll-Fraud Prevention
1.
enable
2.
configure
terminal
3.
voice
service
voip
4.
ip
address
trusted
list
5.
ipv4
ipv4-address [network-mask]
6.
ipv6
ipv6-address
7.
end
DETAILED STEPS
Configuring TDoS Attack Mitigation
1.
enable
2.
configure terminal
3.
voice service voip
4.
ip address trusted authenticate
5.
allow-connections from-type to to-type
6.
sip
7.
no registrar server
8.
silent-discard untrusted
9.
end
10.
show sip-ua statistics
11.
clear sip-ua statistics
DETAILED STEPS
Verifying TDoS Attack Mitigation
Sample output for the show sip-ua statistics command
To display response, traffic, and retry Session Initiation Protocol (SIP) statistics, use the show sip-ua statistics command in privileged EXEC mode.
Device# show sip-ua statistics SIP Response Statistics (Inbound/Outbound) Informational: Trying 0/0, Ringing 0/0, Forwarded 0/0, Queued 0/0, SessionProgress 0/0 Success: OkInvite 0/0, OkBye 0/0, OkCancel 0/0, OkOptions 0/0, OkPrack 0/0, OkRegister 0/0 OkSubscribe 0/0, OkNotify 0/0, OkPublish 0/0 OkInfo 0/0, OkUpdate 0/0, 202Accepted 0/0, OkOptions 0/0 Redirection (Inbound only except for MovedTemp(Inbound/Outbound)) : MultipleChoice 0, MovedPermanently 0, MovedTemporarily 0/0, UseProxy 0, AlternateService 0 Client Error: BadRequest 0/0, Unauthorized 0/0, PaymentRequired 0/0, Forbidden 0/0, NotFound 0/0, MethodNotAllowed 0/0, NotAcceptable 0/0, ProxyAuthReqd 0/0, ReqTimeout 0/0, Conflict 0/0, Gone 0/0, ConditionalRequestFailed 0/0, ReqEntityTooLarge 0/0, ReqURITooLarge 0/0, UnsupportedMediaType 0/0, UnsupportedURIScheme 0/0, BadExtension 0/0, IntervalTooBrief 0/0, TempNotAvailable 0/0, CallLegNonExistent 0/0, LoopDetected 0/0, TooManyHops 0/0, AddrIncomplete 0/0, Ambiguous 0/0, BusyHere 0/0, RequestCancel 0/0, NotAcceptableMedia 0/0, BadEvent 0/0, SETooSmall 0/0, RequestPending 0/0, UnsupportedResourcePriority 0/0, Total untrusted Request Consumed 1500,//This counter increments (+1) on reception of an untrusted SIP request.// Untrusted Request Consumed in last lap 300,//This counter is updated after every 60 minutes.// Last Threshold for Untrusted Request Consumed 1000//This counter activates when the router boots up. Counter value is the number of untrusted requests that are consumed (after crossing 1000 SIP requests) in each interval of 60 minutes after the router boots up.// Server Error: InternalError 0/0, NotImplemented 0/0, BadGateway 0/0, ServiceUnavail 0/0, GatewayTimeout 0/0, BadSipVer 0/0, PreCondFailure 0/0 Global Failure: BusyEverywhere 0/0, Decline 0/0, NotExistAnywhere 0/0, NotAcceptable 0/0 Miscellaneous counters: RedirectRspMappedToClientErr 0 SIP Total Traffic Statistics (Inbound/Outbound) Invite 0/0, Ack 0/0, Bye 0/0, Cancel 0/0, Options 0/0, Prack 0/0, Update 0/0, Subscribe 0/0, Notify 0/0, Publish 0/0 Refer 0/0, Info 0/0, Register 0/0 Retry Statistics Invite 0, Bye 0, Cancel 0, Response 0, Prack 0, Reliable1xx 0, Notify 0, Info 0 Register 0 Subscribe 0 Update 0 Options 0 Publish 0 SDP application statistics: Parses: 0, Builds 0 Invalid token order: 0, Invalid param: 0 Not SDP desc: 0, No resource: 0 Last time SIP Statistics were cleared: <never>
Configuration Examples for TDoS Attack Mitigation
Example: Trusted IP Address List Configuration
The following example shows how to configure a Trusted IP Address list.
Device> enable Device# configure terminal Device(config)# voice service voip Device(conf-voi-serv)# ip address trusted list Device(cfg-iptrust-list)# ipv4 192.0.2.1 Device(cfg-iptrust-list)# ipv6 2001:DB8:0:ABCD::1/48
Example: TDoS Attack Mitigation Configuration
The following example shows how to configure TDoS Attack Mitigation.
Device> enable Device# configure terminal Device(config)# voice service voip Device(conf-voi-serv)# ip address trusted authenticate Device(conf-voi-serv)# allow-connections sip to sip Device(conf-voi-serv)# sip Device(conf-serv-sip)# no registrar server Device(conf-serv-sip)# silent-discard untrusted
Feature Information for TDoS Attack Mitigation
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Release |
Feature Information |
---|---|---|
TDoS Attack Mitigation |
15.3(3)M |
The TDoS Attack Mitigation feature enables Cisco UBE to not respond to Session Initiation Protocol (SIP) requests from IP addresses that are not listed in a trusted IP address list. |
TDoS Attack Mitigation |
Cisco IOS XE Release 3.10S |
The TDoS Attack Mitigation feature enables Cisco UBE to not respond to Session Initiation Protocol (SIP) requests from IP addresses that are not listed in a trusted IP address list. |