During a DoS Attack, Session Border Controller Drops Packets From Trusted Entities. Why Is This and How Is This Countered ?
(Doc ID 2143079.1)
Last updated on AUGUST 27, 2020
Applies to:Acme Packet 6300 - Version S-Cz7.2.0 to S-Cz7.3.5 [Release S-Cz7.0]
Information in this document applies to any platform.
The environment consist of HA pair comprises of the Acme 6300s running SBC Version Acme Packet Net-Net 6300 SCZ7.2.x. In this example, the SBC is using sip-interface associated with the access realm. Upon any SIP messages that arrives to SBC using sip-interface associated with the access realm, SBC will forward the requests to the redirect servers based on the local policy routing. During the DoS attack, a spike in traffic from the unsolicited source to the access realm occurs. This caused:
1. The registration attempts from the IP Address of the unsolicted source were forwarded by SBC to the call servers based on response from re-direct servers. Such attempts were rejected with 403
2. Customers associated to the access realms were primarily affected
3. Access SBC dropped the inbound SIP messages (requests and responses) from customers connected to the system which resulted in registrations and calls to fail
4. The session-agents corresponding to the re-direct servers were taken out-of-service quiet frequently (state transitioned from I to O to S to O)
Example of SBC settings:
sipd.log file has entries such as:
indicating the IP address from unsolicited source was going to untrusted but not to deny list
Why did the SBC drop the SIP messages from the trusted entities and how can this be countered ?
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document