Mitigating Network Attacks on UDP Port 1085

a.janssen · ‎02-14-2010

Hi,

I need to implement a filter for network attacks on UDP port 1085. Somebody is flooding my server with SIP packets.

I have a rule set for the linux netfilter firewall to archieve that. It looks like this:

iptables -A FORWARD -m string --string "INVITE sip:" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "REGISTER sip:" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "SUBSCRIBE" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "MESSAGE" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "OPTIONS" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m hashlimit --hashlimit 50/sec --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -d SERVER_IP -p UDP --dport 1805 -j ACCEPT
iptables -A FORWARD -d SERVER_IP -p UDP --dport 1805 -j DROP

My try to get this running on an ASA looks like this:

regex SIP_SUBSCRIBE "SUBSCRIBE sip"
regex SIP_REGISTER "REGISTER sip"
regex SIP_MESSAGE "MESSAGE sip"
regex SIP_OPTIONS "OPTIONS sip"
regex SIP_INVITE "INVITE sip"

access-list sip_log extended permit udp any any eq 1085

class-map siptraffic
match access-list sip_log
class-map type regex match-any SIP
description SIP Class Map
match regex SIP_MESSAGE
match regex SIP_OPTIONS
match regex SIP_SUBSCRIBE
match regex SIP_INVITE
match regex SIP_REGISTER

class-map type inspect sip match-any sip_class
match content type regex class SIP

policy-map type inspect sip test_sip
class sip_class
log

policy-map outside_sip-policy
class siptraffic
inspect sip test_sip

service-policy outside_sip-policy interface outside

But I'm not sure how to drop the packets. And I'm not sure how to block more than 50pps from one IP for UDP port 1805.

Can somebody give me a hint how to configure that?

Regards

Andre

Panos Kampanakis · ‎02-15-2010

You can police traffic that matches the udp port traffic.

https://supportforums.cisco.com/docs/DOC-1230#Traffic_Policing_with_Prioritization explains how to do it to match the traffic and then police it.

I hope it helps.

PK

a.janssen · ‎02-15-2010

Hi,

thats what I came up with:

access-list sip-acl extended permit udp any any eq 1085

class-map sip-class
match access-list sip-acl

class-map type inspect sip match-any sip-map
match request-method message
match request-method subscribe
match request-method options
match request-method register
match request-method invite

policy-map type inspect sip sip-insp
class sip-map

policy-map sip-pol
class sip-class
inspect sip sip-insp
police input 8000 1500 conform-action drop exceed-action drop
!
service-policy sip-pol interface outside

Any coments on this? I mean, should this work as expected?

Regards

Andre

Panos Kampanakis · ‎02-15-2010

The sip inspection for the sip-map might not be necessary since the action does not do anything. Inspecting sip globally and doing only policing for sip would also be enough

class-map sip-class
match access-list sip-acl

policy-map sip-pol
class sip-class
police input 8000 1500 conform-action drop exceed-action drop

service-policy sip-pol interface outside

PK

a.janssen · ‎02-15-2010

I do not want the complete UDP traffic on port 1085 to be policed. This should only be effective against the SIP packets on port 1085. My hope was that this would work with that inspect rule. Do you have an idea how to archive this somehow?

Regards

Andre

a.janssen · ‎02-15-2010

Is that maybe a working plot? This should help to check and drop the required packets. Any comments on this?

Thanks

Andre

class-map sipport-class

match port udp eq 1085

class-map type inspect sip match-any sip-map

match request-method message

match request-method subscribe

match request-method options

match request-method register

match request-method invite

match request-method ack

match request-method bye

match request-method cancel

match request-method info

match request-method notify

match request-method prack

match request-method publish

match request-method refer

match request-method update

match request-method unknown

!

policy-map type inspect sip sip-insp

parameters

class sip-map

drop log

!

policy-map sip-pol

class sipport-class

inspect sip sip-insp

!

service-policy sip-pol interface outside

Panos Kampanakis · ‎02-15-2010

That won't work either. You want to match on SIP.

If another app is using the same port you are using for your SIP then your might have bigger problems that policing.

You cannot match on a protocol over a specific port.To match in a class map you use an ACL or the other options. In thesype inspect class-maps you can only match on fields to be acted uponin a policy-map.

If you want to drop the SIP packets over that port then your config will work.

But if you want to rate limit only the SIP packets over that port it can't be done.

PK