The ability of the SIP proxy server to process calls can be impacted by repeat SIP INVITE requests—requests that it initially denied. The DoS protection feature enables you to configure the J-series device to monitor INVITE requests and proxy server replies to them. If a reply contains a 3xx, 4xx, or 5xx response code (see Classes of SIP Responses), the ALG stores the source IP address of the request and the IP address of the proxy server in a table. Subsequently, the J-series device checks all INVITE requests against this table and, for a configurable number of seconds (the default is 3), discards any packets that match entries in the table. You can configure the J-series device to monitor and deny repeat INVITE requests to all proxy servers, or you can protect a specific proxy server by specifying the destination IP address. SIP attack protection is configured globally.
Before You Begin |
|---|
For background information, read |
To configure DoS attack protection, use either the J-Web or CLI configuration editor.
This topic covers:
In this example, you configure the J-series device to protect a single SIP proxy server (1.1.1.3) from repeat INVITE requests to which it has already denied service. Packets are dropped for a period of 5 seconds, after which the J-series device resumes forwarding INVITE requests from those sources.
- user@host# set security alg sip application-screen
protect deny destination-ip 1.1.1.3
- user@host# set security alg sip application-screen
protect deny timeout 5