POWER SEC DOS AND DDOS PROTECTION
The IP firewall module in the PowerSec protects the system against IP level threats such as port scanning by ensuring that only those ports required for processing SIP signaling and for other configured services are opened. Ports for processing media streams are opened only when required under the control or the application and protocol security module. The firewall module also provides the first level of protection against denial of
service attacks (DoS) and Distributed Denial of service (DDoS) by providing configurable rate limits for each enabled SIP transport. These rate limits may be configured for each network interface and by source IP address.
Application level threats such as call floods, and other denial of service attacks are controlled by the Call Admission Control and Blacklist functions that are implemented in the application and protocol security module. The Call Admission Control module implements rate limiting and other controls at an application level providing fine grained control so that different rate limits may be specified for each request type.
These DoS and DDoS controls are reinforced by the routing policy which ensures that SIP requests for unknown destinations are immediately dropped.
Call Admission Control is designed to provide fine-grained control over the SIP messages that are permitted by the SIP Security Controller.
Call Admission Control controls calls and other SIP events such as phone registration. Call Admission Control is split into two sections, Blacklisting and Call Admission Rules. Blacklisting allows you to block all selected SIP messages from defined sources or todefined destinations. Among other things it is useful for blocking the SIP scanning tools, such as SIP vicious that attackers use to identify vulnerable systems. The PowerSec ispre-configured with black list entries to block SIP vicious. Call Admission Rules allow you to apply controls on messages that are permitted by the PowerSec. These controls can limit the types of SIP message permitted or place rate limits on those messages. Call admission rules are used to modify the processing of a message. Rules apply to message that are routed by a SIP object definition. A call admission rule may apply rate limits to messages, may change the Quality of Service (QoS) settings of the SIP transport or RTP audio associated with a matching set of message, or may over-ride message routing. Each call admission rule is defined in two parts.
Firstly at least one message matching parameter such as Source, Destination or SIP Parameters are used to define the message to which the rule applies. All of the fields are optional, but at least one field from this group must be defined. If you define multiple fields then all fields must be matched for the rule to take effect. For example if you define an IP address and a Contact URI, then the pattern will match a SIP message from the specified IP address containing the defined contact URI. Many of the configuration parameters defined for Call Admission Rules are the same as those used to define a blacklist rule. Secondly a SIP Property may be configured to define the action that should be applied to messages identified by the message matching parameters. If no SIP Properties are defined, the message is forwarded without change. When a SIP Object is defined two default Call Admission Rules are created; these rules are defined without SIP properties. The default rules allow all SIP message from a SIP Object to any destination and vice versa. For example a system with two SIP Object Definitions, one for a PBX and one for a SIP Trunk Service will have 4 default call admission rules.The Rate-Limit configurable parameter in conjunction with pre-defined SIP parameters, such as User Agent, provides the comprehensive protection against DDoS attack. Any SIp message which does not match the pre-defined rules is discarded and cannot affect the PBX or the Soft-switch behind the PowerSec.