PIX and SIP message rate limiting

Discussion in 'Cisco' started by tdfontaine, Nov 9, 2004.

  1. tdfontaine

    tdfontaine Guest

    Were looking for a way to limit the number of SIP messages on a PIX
    firewall (6.3 IOS) to reduce exposure from a SIP DOS type of attack.
    As it stands today, we have some SIP servers being protected by a PIX
    525. The current PIX configuration allows an unlimited number of SIP
    messages from any host. With a SIP stress tool, we found that the
    servers are vunerable to a DOS.

    TIA,
    Trevor
     
    tdfontaine, Nov 9, 2004
    #1
    1. Advertising

  2. In article <>,
    tdfontaine <> wrote:
    :Were looking for a way to limit the number of SIP messages on a PIX
    :firewall (6.3 IOS) to reduce exposure from a SIP DOS type of attack.
    :As it stands today, we have some SIP servers being protected by a PIX
    :525. The current PIX configuration allows an unlimited number of SIP
    :messages from any host. With a SIP stress tool, we found that the
    :servers are vunerable to a DOS.

    Perhaps in your static statement that defines the internal host
    that is to receive the messages, you could set max_conns ? That's
    the second last number on the line -- where your line probably
    ends in 0 0 change it so the first of those 0's is a positive value.

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694
    --
    Take care in opening this message: My grasp on reality may have shaken
    loose during transmission!
     
    Walter Roberson, Nov 9, 2004
    #2
    1. Advertising

  3. tdfontaine

    tdfontaine Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<cmpkbv$6lp$>...
    > In article <>,
    > tdfontaine <> wrote:
    > :Were looking for a way to limit the number of SIP messages on a PIX
    > :firewall (6.3 IOS) to reduce exposure from a SIP DOS type of attack.
    > :As it stands today, we have some SIP servers being protected by a PIX
    > :525. The current PIX configuration allows an unlimited number of SIP
    > :messages from any host. With a SIP stress tool, we found that the
    > :servers are vunerable to a DOS.
    >
    > Perhaps in your static statement that defines the internal host
    > that is to receive the messages, you could set max_conns ? That's
    > the second last number on the line -- where your line probably
    > ends in 0 0 change it so the first of those 0's is a positive value.
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694


    Thanks for taking the time to respond to my post. I looked at the
    'static' command and the 'max connections' & 'embryonic limit'
    options. They are promising as they will limit the number of TCP/UDP
    connections but I'm looking for something a little more specific to
    UDP ports so I can limit the number SIP requests in a given time
    frame. I'm getting the feeling that the PIX 525 isn't able to support
    this feature. Do you have any other ideas?
     
    tdfontaine, Nov 9, 2004
    #3
  4. In article <>,
    tdfontaine <> wrote:
    :I looked at the
    :'static' command and the 'max connections' & 'embryonic limit'
    :eek:ptions. They are promising as they will limit the number of TCP/UDP
    :connections but I'm looking for something a little more specific to
    :UDP ports so I can limit the number SIP requests in a given time
    :frame. I'm getting the feeling that the PIX 525 isn't able to support
    :this feature.

    You can apply a connection limit to a udp port by using static PAT:

    static (inside, outside) udp OUTSIDEIP 5160 INSIDEIP 5160 netmask 255.255.255.255 CONLIMIT 0

    The embryonic limit isn't going to do much good with UDP, since it works
    on TCP.

    PIX does not offer any configurable rate limiting except what can
    be done via the 'max connections' or 'embryonic limit' parameters
    on 'static' commands.


    One suggestion: have you tried playing with the sip timeout via
    the 'timeout' command ?
    --
    Can a statement be self-referential without knowing it?
     
    Walter Roberson, Nov 9, 2004
    #4
  5. Hello, tdfontaine!
    You wrote on 9 Nov 2004 09:59:38 -0800:

    t> -cnrc.gc.ca (Walter Roberson) wrote in message
    news:<cmpkbv$6lp$>...
    ??>> In article <>,
    ??>> tdfontaine <> wrote:
    ??>> :Were looking for a way to limit the number of SIP messages on a
    ??>> PIX :firewall (6.3 IOS) to reduce exposure from a SIP DOS type
    ??>> of attack. :As it stands today, we have some SIP servers being
    ??>> protected by a PIX :525. The current PIX configuration allows
    ??>> an unlimited number of SIP :messages from any host. With a SIP
    ??>> stress tool, we found that the :servers are vunerable to a DOS.
    ??>>
    ??>> Perhaps in your static statement that defines the internal host
    ??>> that is to receive the messages, you could set max_conns ?
    ??>> That's the second last number on the line -- where your line
    ??>> probably ends in 0 0 change it so the first of those 0's is a
    ??>> positive value.
    ??>>
    ??>>
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

    t> Thanks for taking the time to respond to my post. I looked at the
    t> 'static' command and the 'max connections' & 'embryonic limit'
    t> options. They are promising as they will limit the number of
    t> TCP/UDP connections but I'm looking for something a little more
    t> specific to UDP ports so I can limit the number SIP requests in a
    t> given time frame. I'm getting the feeling that the PIX 525 isn't
    t> able to support this feature. Do you have any other ideas?

    According to RFC321 http://www.faqs.org/rfcs/rfc3261.html SIP elements MUST
    support TCP. UDP support is optional. I think you will be OK by disabling access
    to you SIP servers from outside by UDP. With that being done, Walter's
    recommendation about static statement will work beautifully.

    With best regards,
    Andrey.
     
    Andrey Tarasov, Nov 9, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rick
    Replies:
    10
    Views:
    12,350
    riteshmahajan1
    Dec 17, 2008
  2. Chris Dickens
    Replies:
    0
    Views:
    609
    Chris Dickens
    Jun 4, 2004
  3. TechGuy
    Replies:
    0
    Views:
    547
    TechGuy
    Sep 3, 2004
  4. Chris  Heller
    Replies:
    0
    Views:
    1,041
    Chris Heller
    Oct 11, 2005
  5. Patrick Cervicek
    Replies:
    0
    Views:
    865
    Patrick Cervicek
    Aug 7, 2007
Loading...

Share This Page