No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

U1900 SIP Flood attack cause call registration failure

Publication Date:  2018-07-31 Views:  287 Downloads:  0
Issue Description

Problem description

Most of customer’ phones couldn’t make call even register and impact service a lot

Topology】

Phone---U1900(private IP)—sip trunk--Huawei switch--Firewall--other vendor PBX(Public IP)

Software version: all version


Handling Process

 

1.  Check the configuration both on U1900 and Ip phone to make sure all Network setting and SIP info are correct

2.  Capture debug trace , can find Sip Register message limit has reached to more than 200/s


3. Fitter all two minutes register info, we can find some public IP has thousands of registration

Register IP

Register times

121.59.x.xx

30

155.94.xx.xx

4641

185.40.xx.xx

1801

 

4.       Fitter the register account, found they are all account in private network:

Register account

Register times

6001

3602

6100

18

6102

9282

 

5.       Check the detailed info about the register info, can found the account is from public IP address 155.94.xx.xx and the agent is asterisk PBX which always have sip attack


 


Root Cause

This is SIP Flood attack from public network reached the PBX and occupied the resource for SIP user which lead to registration and call fail since our product has below limitation:

Capacity

U1981

U1980

U1960

U1930

U1911

U1960

CAPS(call access per second)

50

50

10

8

4

4

 


Solution

Suggest customer use acl deny some traffic on Huawei switch or deny in Firewall

Example:

1.Configure ACL3001 with 3 rules to deny traffice from IP 192.168.1.10192.168.1.11192.168.1.12

[Switch] acl number 3001

[Switch-acl-adv-3001] rule deny ip source 192.168.1.10 0

[Switch-acl-adv-3001] rule deny ip source 192.168.1.11 0

[Switch-acl-adv-3001] rule deny ip source 192.168.1.12 0

[Switch-acl-adv-3001] quit

  

2.Configure packet filter in interface GE1/0/1

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] traffic-filter inbound acl 3001

[Switch-GigabitEthernet1/0/1] quit

 


END