DoS alerts in the SBC do not have anything to do with IP addresses (remember, the alerts you would see are layer-7, not layer 2 or 3). It is solely based on phone number/extension. The probes could be coming from multiple IPs or a single one (both would be common, esp. in a trunking environment or remote worker environment).
You are getting a NOTIFY, since that is the policy you set in the SBC (that may also be the default). In the policies, you can have it IGNORE, NOTIFY, or BLOCK. If you set it to block, it will ignore all traffic that matches the pattern for a specified amount of time. If you set it to IGNORE, you won't even see it in the logs.
-Nick
------------------------------
Nick Kwiatkowski
Director of Design and Engineering
Michigan State University
East Lansing MI
------------------------------
Original Message:
Sent: 11-11-2020 01:22 PM
From: Mark Flath
Subject: Session Border Controller DoS understanding
Thanks Nick.
That part I understand, I have seen DoS Alerts with multiple IP's, but in the case of this one, which I keep seeing, it does not make any sense. I am only seeing one IP and the alert is: Notify - which I am assuming that it is a SIP ANY message, but why the single IP?
GO BLUE!!!!
------------------------------
Mark Flath
Telecom Engineer III
Answer Financial Inc
Encino CA
Original Message:
Sent: 11-11-2020 12:30 PM
From: Nick Kwiatkowski
Subject: Session Border Controller DoS understanding
DoS or DDoS alerts on the SBC are typically triggered when a single phone number calls a bunch of numbers at, or near the same time. For example, if the phone number :
800-555-1212 is shown calling
517-555-3000
517-555-3001
517-555-8754
517-555-8766
all within a few seconds, it would trigger the alarm. This alarm exists because a normal person should not be able to dial that number /that/ quickly between calls if they were a real human.
The DDoS alarm is similar, but the opposite. This would trigger when multiple numbers are hitting a single DID all within a few seconds. For example, if you have the number
517-555-3000 getting calls from
800-555-1212
877-666-3000
866-251-5555
616-304-8888
It would trigger the alarm as well. It would be highly unusual for multiple numbers to call a single DID in quick sequence.
-Nick
------------------------------
Nick Kwiatkowski
Director of Design and Engineering
Michigan State University
East Lansing MI
Original Message:
Sent: 11-11-2020 11:59 AM
From: Mark Flath
Subject: Session Border Controller DoS understanding
Greetings all. Is there anyone who understands the DoS alerts for the SBC's? Specifically the Phone DoS incidents. I am trying to get a better understanding of what is being triggered here.
------------------------------
Mark Flath
Telecom Engineer III
Answer Financial Inc
Encino CA
------------------------------