Denial of Service (DoS/DDoS)

 

Feature F-6198 DOS Prevention for CPU Services feature protects the IMG 2020 from Denial of Service (DoS/DDoS) attacks on the IP Addresses that make use of the CPU-based Service IP Addresses. The CPU Service IP Addresses are susceptible to attacks on a variety of Ethernet/IP Protocols. The firewall developed for this feature can be manually enabled or disabled and provides L2/L3 layer protection to block all protocols that are not required for CPU-provided services. When a CPU Service is configured, a pinhole will automatically be opened and will unblock the CPU Service IP Address. Below is a list of CPU Services that the Denial Of Service firewall protects.

IP Protocol

Description

IP Protocol

Description

ARP

IP address resolution

SIGTRAN

Call Control (SS7 equivalent over IP)]

ICMP

IP Control Messaging (connectivity verification, etc.)]

DNS

Domain Name Resolution

NTP

Time Synchronization

NFS

Network File System

FTP

File Transfers

SSH

Secure File Transfer and Secure Command Shell

HTTP

Less secure web interface

HTTPS

More secure web interface

SNMP

Network Management

SIP

Call Control

H.323

Call Control umbrella

RADIUS

Billing Record Transmission

RCOMM

Inter-node communication

Additional Information

  • The Firewall described above protects all Service IP addresses. It doesn't matter which interface the IP is configured on, it will be protected

  • The Firewall DOES NOT protect the bootup IP address that is bound to the CTRL interface. This IP address should be connected to a trusted network and is utilized for all OAMP functionality.

  • Inbound IP traffic is inspected on a per-protocol basis with an inappropriate packet options triggering a block of the potentially damaging traffic and the specific types of filtering that are performed is determined automatically whenever possible.

  • IP packet inspection is used to block the set of attacks that can be identified at the Network layer (L3). This includes blocking inbound packets with invalid options as well as using stateful inspection to block packets indicating an inappropriate message type based on the state of a specific data flow.

  • The total number of sessions allowed for any connection-oriented (TCP or UDP based) protocols is limited to block resource starvation types of DoS attacks.

  • Adding the Denial Of Service feature to the IMG 2020 provides the following benefits.

 

 

  • Ability to block all non ARP/IP Ethernet traffic bound for the 2020 SBC’s CPU at the Data Link layer (L2)

  • Ability to block all CPU-bound IP traffic (for protocols not in use by the CPU) at the Network layer (L3)

  • Ability to survive flood attacks on CPU-provided services

  • Protection (wherever applicable) from attacks that exploit non-standard packet options

  • Protection from a variety of IP fragmentation types of attacks.

  • Protection from attacks that violate protocol-specific stateful restrictions

  • Protection from a variety of ICMP-based DoS attacks

  • Topology Hiding of the IMG 2020's CPU services (by restricting access via the ICMP protocol)

  • Protection from resource starvation DoS attacks for connection-oriented protocols

  • The Firewall which is by default set to Enable and can be manually Enabled or Disabled. This is achieved by selecting Enable or Disable from the IP Firewall field in the IP Network Interface object.

  • The IMG 2020 includes the use of Access Control List (ACL) for greater control over which remote endpoints have access to local IP resources. Refer to the Provisional ACL (F-6582) topic for more information.

 

Return to Documentation Home I Return to Sangoma Support