Denial of Service (DoS/DDoS)
Feature F-6198 DOS Prevention for CPU Services feature protects the IMG 2020 from Denial of Service (DoS/DDoS) attacks on the IP Addresses that make use of the CPU-based Service IP Addresses. The CPU Service IP Addresses are susceptible to attacks on a variety of Ethernet/IP Protocols. The firewall developed for this feature can be manually enabled or disabled and provides L2/L3 layer protection to block all protocols that are not required for CPU-provided services. When a CPU Service is configured, a pinhole will automatically be opened and will unblock the CPU Service IP Address. Below is a list of CPU Services that the Denial Of Service firewall protects.
IP Protocol | Description |
---|---|
ARP | IP address resolution |
SIGTRAN | Call Control (SS7 equivalent over IP)] |
ICMP | IP Control Messaging (connectivity verification, etc.)] |
DNS | Domain Name Resolution |
NTP | Time Synchronization |
NFS | Network File System |
FTP | File Transfers |
SSH | Secure File Transfer and Secure Command Shell |
HTTP | Less secure web interface |
HTTPS | More secure web interface |
SNMP | Network Management |
SIP | Call Control |
H.323 | Call Control umbrella |
RADIUS | Billing Record Transmission |
RCOMM | Inter-node communication |
Additional Information
The Firewall described above protects all Service IP addresses. It doesn't matter which interface the IP is configured on, it will be protected
The Firewall DOES NOT protect the bootup IP address that is bound to the CTRL interface. This IP address should be connected to a trusted network and is utilized for all OAMP functionality.
Inbound IP traffic is inspected on a per-protocol basis with an inappropriate packet options triggering a block of the potentially damaging traffic and the specific types of filtering that are performed is determined automatically whenever possible.
IP packet inspection is used to block the set of attacks that can be identified at the Network layer (L3). This includes blocking inbound packets with invalid options as well as using stateful inspection to block packets indicating an inappropriate message type based on the state of a specific data flow.
The total number of sessions allowed for any connection-oriented (TCP or UDP based) protocols is limited to block resource starvation types of DoS attacks.
Adding the Denial Of Service feature to the IMG 2020 provides the following benefits.
|
---|
|
The Firewall which is by default set to Enable and can be manually Enabled or Disabled. This is achieved by selecting Enable or Disable from the IP Firewall field in the IP Network Interface object.
The IMG 2020 includes the use of Access Control List (ACL) for greater control over which remote endpoints have access to local IP resources. Refer to the Provisional ACL (F-6582) topic for more information.