SIP rate limiting

SIP rate limiting

Configurable threshold for SIP message rates per request method. Protects SIP servers from SIP overload and DoS attacks.

 

SIP rate limiting

INVITE REGISTER

SUBSCRIBE

  • SIP message rate limitation
  • Individually configurable per SIP

method

  • When threshold is hit additional messages with this method will be

 

SIP

NOTIFY REFER UPDATE OPTIONS MESSAGE ACK

PRACK INFO

SIP

  • Prevents SIP server from getting overloaded by flash crowds or Denial-of-Service attacks.
  • May block some methods at all
  • Can be disabled (unlimited rate)

 

FortiGate units support rate limiting for the following types of VoIP traffic:

  • Session Initiation Protocol (SIP)
  • Skinny Call Control Protocol (SCCP) (most versions)
  • Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE).

You can use rate limiting of these VoIP protocols to protect the FortiGate unit and your network from SIP and SCCP Denial of Service (DoS) attacks. Rate limiting protects against SIP DoS attacks by limiting the number of SIP REGISTER and INVITE requests that the FortiGate unit receives per second. Rate limiting protects against SCCP DoS attacks by limiting the number of SCCP call setup messages that the FortiGate unit receives per minute.

You configure rate limiting for a message type by specifying a limit for the number of messages that can be received per second. The rate is limited per security policy. When VoIP rate limiting is enabled for a message type, if the a single security policy accepts more messages per second than the configured rate, the extra messages are dropped and log messages are written when the messages are dropped.

Use the following command to configure a VoIP profile to limit the number of INVITE messages accepted by each security policy that the VoIP profile is added to 100 INVITE messages a second:

config voip profile edit VoIP_Pro_Name

config sip

set invite-rate 100 end

end

If you are experiencing denial of service attacks from traffic using these VoIP protocols, you can enable VoIP rate limiting and limit the rates for your network. Limit the rates depending on the amount of SIP and SCCP traffic that you expect the FortiGate unit to be handling. You can adjust the settings if some calls are lost or if the amount of SIP or SCCP traffic is affecting FortiGate unit performance.

The table below lists all of the VoIP profile SIP rate limiting options. All of these options are set to 0 so are disabled by default.

Blocking SIP OPTIONS messages may prevent a redundant configuration from oper- ating correctly. See Supporting geographic redundancy when blocking OPTIONS mes- sages on page 2822 for information about resolving this problem.

Options for SIP rate limiting

SIP request mes- sage

Rate Limiting CLI Option

ACK                           ack-rate

BYE                           bye-rate

Cancel                       cancel-rate

INFO                          info-rate

SIP request mes- sage

 

Rate Limiting CLI Option

INVITE                       invite-rate

Message                   message-rate

Notify                        notify-rate

Options                     options-rate

PRACK                      prack-rate

Publish                     publish-rate

Refer                         refer-rate

Register                    register-rate

Subscribe                 subscribe-rate

Update                      update-rate

 

Limiting the number of SIP dialogs accepted by a security policy

In addition to limiting the rates for receiving SIP messages, you can use the following command to limit the number of SIP dialogs (or SIP calls) that the FortiGate unit accepts.

config voip profile edit VoIP_Pro_Name

config sip

set max-dialogs 2000 end

end

This command sets the maximum number of SIP dialogs that can be open for SIP sessions accepted by any security policy that you add the VoIP profile to. The default setting of 0 does not limit the number of dialogs. You can add a limit to control the number of open dialogs and raise and lower it as required. You might want to limit the number of open dialogs for protection against SIP-based attackers opening large numbers of SIP dialogs.

Every dialog takes memory and FortiGate CPU resources to process. Limiting the number of dialogs may improve the overall performance of the FortiGate unit. Limiting the number of dialogs will not drop calls in progress but may prevent new calls from connecting.

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.