02-14-2010 09:36 AM - edited 03-11-2019 10:09 AM
Hi,
I need to implement a filter for network attacks on UDP port 1085. Somebody is flooding my server with SIP packets.
I have a rule set for the linux netfilter firewall to archieve that. It looks like this:
iptables -A FORWARD -m string --string "INVITE sip:" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "REGISTER sip:" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "SUBSCRIBE" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "MESSAGE" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m string --string "OPTIONS" --algo bm --to 65 -p udp --dport 1805 -d SERVER_IP -j DROP
iptables -A FORWARD -m hashlimit --hashlimit 50/sec --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -d SERVER_IP -p UDP --dport 1805 -j ACCEPT
iptables -A FORWARD -d SERVER_IP -p UDP --dport 1805 -j DROP
My try to get this running on an ASA looks like this:
regex SIP_SUBSCRIBE "SUBSCRIBE sip"
regex SIP_REGISTER "REGISTER sip"
regex SIP_MESSAGE "MESSAGE sip"
regex SIP_OPTIONS "OPTIONS sip"
regex SIP_INVITE "INVITE sip"
access-list sip_log extended permit udp any any eq 1085
class-map siptraffic
match access-list sip_log
class-map type regex match-any SIP
description SIP Class Map
match regex SIP_MESSAGE
match regex SIP_OPTIONS
match regex SIP_SUBSCRIBE
match regex SIP_INVITE
match regex SIP_REGISTER
class-map type inspect sip match-any sip_class
match content type regex class SIP
policy-map type inspect sip test_sip
class sip_class
log
policy-map outside_sip-policy
class siptraffic
inspect sip test_sip
service-policy outside_sip-policy interface outside
But I'm not sure how to drop the packets. And I'm not sure how to block more than 50pps from one IP for UDP port 1805.
Can somebody give me a hint how to configure that?
Regards
Andre
02-15-2010 10:15 AM
You can police traffic that matches the udp port traffic.
https://supportforums.cisco.com/docs/DOC-1230#Traffic_Policing_with_Prioritization explains how to do it to match the traffic and then police it.
I hope it helps.
PK
02-15-2010 02:13 PM
Hi,
thats what I came up with:
access-list sip-acl extended permit udp any any eq 1085
class-map sip-class
match access-list sip-acl
class-map type inspect sip match-any sip-map
match request-method message
match request-method subscribe
match request-method options
match request-method register
match request-method invite
policy-map type inspect sip sip-insp
class sip-map
policy-map sip-pol
class sip-class
inspect sip sip-insp
police input 8000 1500 conform-action drop exceed-action drop
!
service-policy sip-pol interface outside
Any coments on this? I mean, should this work as expected?
Regards
Andre
02-15-2010 02:47 PM
The sip inspection for the sip-map might not be necessary since the action does not do anything. Inspecting sip globally and doing only policing for sip would also be enough
class-map sip-class
match access-list sip-acl
policy-map sip-pol
class sip-class
police input 8000 1500 conform-action drop exceed-action drop
service-policy sip-pol interface outside
PK
02-15-2010 02:54 PM
I do not want the complete UDP traffic on port 1085 to be policed. This should only be effective against the SIP packets on port 1085. My hope was that this would work with that inspect rule. Do you have an idea how to archive this somehow?
Regards
Andre
02-15-2010 05:04 PM
Is that maybe a working plot? This should help to check and drop the required packets. Any comments on this?
Thanks
Andre
class-map sipport-class
match port udp eq 1085
class-map type inspect sip match-any sip-map
match request-method message
match request-method subscribe
match request-method options
match request-method register
match request-method invite
match request-method ack
match request-method bye
match request-method cancel
match request-method info
match request-method notify
match request-method prack
match request-method publish
match request-method refer
match request-method update
match request-method unknown
!
!
policy-map type inspect sip sip-insp
parameters
class sip-map
drop log
!
policy-map sip-pol
class sipport-class
inspect sip sip-insp
!
service-policy sip-pol interface outside
02-15-2010 08:30 PM
That won't work either. You want to match on SIP.
If another app is using the same port you are using for your SIP then your might have bigger problems that policing.
You cannot match on a protocol over a specific port.To match in a class map you use an ACL or the other options. In thesype inspect class-maps you can only match on fields to be acted uponin a policy-map.
If you want to drop the SIP packets over that port then your config will work.
But if you want to rate limit only the SIP packets over that port it can't be done.
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide