FAQs, Helpful Tips, and Screenshots

 View Only
  • 1.  Session Border Controller DoS understanding

    Posted 11-11-2020 12:00 PM

    Greetings all.  Is there anyone who understands the DoS alerts for the SBC's? Specifically the Phone DoS incidents. I am trying to get a better understanding of what is being triggered here.

    Thanks,

    Mark Flath
    818-644-4545


    ------------------------------
    Mark Flath
    Telecom Engineer III
    Answer Financial Inc
    Encino CA
    ------------------------------


  • 2.  RE: Session Border Controller DoS understanding

    Posted 11-11-2020 12:31 PM
    DoS or DDoS alerts on the SBC are typically triggered when a single phone number calls a bunch of numbers at, or near the same time.  For example, if the phone number :

    800-555-1212    is shown calling
       517-555-3000
       517-555-3001
       517-555-8754
       517-555-8766

    all within a few seconds, it would trigger the alarm.  This alarm exists because a normal person should not be able to dial that number /that/ quickly between calls if they were a real human.

    The DDoS alarm is similar, but the opposite.  This would trigger when multiple numbers are hitting a single DID all within a few seconds.  For example, if you have the number
    517-555-3000  getting calls from
       800-555-1212
       877-666-3000
       866-251-5555
       616-304-8888

    It would trigger the alarm as well.  It would be highly unusual for multiple numbers to call a single DID in quick sequence.  

    -Nick

    ------------------------------
    Nick Kwiatkowski
    Director of Design and Engineering
    Michigan State University
    East Lansing MI
    ------------------------------



  • 3.  RE: Session Border Controller DoS understanding

    Posted 11-11-2020 01:22 PM
      |   view attached

    Thanks Nick.

    That part I understand, I have seen DoS Alerts with multiple IP's, but in the case of this one, which I keep seeing, it does not make any sense.  I am only seeing one IP and the alert is: Notify - which I am assuming that it is a SIP ANY message, but why the single IP?

    GO BLUE!!!!



    ------------------------------
    Mark Flath
    Telecom Engineer III
    Answer Financial Inc
    Encino CA
    ------------------------------



  • 4.  RE: Session Border Controller DoS understanding

    Posted 11-11-2020 01:54 PM
    DoS alerts in the SBC do not have anything to do with IP addresses (remember, the alerts you would see are layer-7, not layer 2 or 3).  It is solely based on phone number/extension.  The probes could be coming from multiple IPs or a single one (both would be common, esp. in a trunking environment or remote worker environment).

    You are getting a NOTIFY, since that is the policy you set in the SBC (that may also be the default).  In the policies, you can have it IGNORE, NOTIFY, or BLOCK.  If you set it to block, it will ignore all traffic that matches the pattern for a specified amount of time.  If you set it to IGNORE, you won't even see it in the logs.

    -Nick

    ------------------------------
    Nick Kwiatkowski
    Director of Design and Engineering
    Michigan State University
    East Lansing MI
    ------------------------------



  • 5.  RE: Session Border Controller DoS understanding

    Posted 11-11-2020 02:03 PM
    Edited by Mark Flath 11-11-2020 02:07 PM
      |   view attached
    I think I have it figured out.  The image below is from the station (1064) that keeps generating the alerts.  This is a soft phone that is sitting on a cell. A lot of messaging in less than 1 second.

    We do want the Notify so that we can get an alert that someone is knocking at the door.  I just need to get the threshold dialed in to prevent any false positives.  Not doing any blocking at this moment.