During a DoS Attack, Session Border Controller Drops Packets From Trusted Entities. Why Is This and How Is This Countered ?

(Doc ID 2143079.1)

Last updated on JUNE 22, 2017

Applies to:

Acme Packet 6300 - Version S-Cz7.2.0 to S-Cz7.3.5 [Release S-Cz7.0]
Information in this document applies to any platform.


The environment consist of HA pair comprises of the Acme_6300 running SBC Version Acme Packet Net-Net 6300 SCZ7.2.x. In this example, the SBC is using sip-interface associated with the 'SIPConnect' realm. Upon any SIP messages that arrives to SBC using sip-interface associated with the 'SIPConnect' realm, SBC will forward the requests to the redirect servers based on the local policy routing. During the DoS attack, a spike in traffic from the unsolicited source to the 'SIPConnect' realm occurs. This caused:

1. The registration attempts from the IP Address of the unsolicted source were forwarded by SBC to the call servers based on response from re-direct servers. Such attempts were rejected with 403
2. Customers associated to the SIPConnect realms were primarily affected
3. Access SBC dropped the inbound SIP messages (requests and responses) from customers connected to the system which resulted in registrations and calls to fail
4. The session-agents corresponding to the re-direct servers were taken out-of-service quiet frequently (state transitioned from I to O to S to O)

Example of SBC settings:

max-signaling-bandwidth 2500000

identifier SIPConnect
access-control-trust-level medium
invalid-signal-threshold 1

options trans-timeouts=2


sipd.log file has entries such as:

indicating the IP address from unsolicited source was going to untrusted but not to deny list


Why did the SBC drop the SIP messages from the trusted entities and how can this be countered ?


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms