01-04-2013 09:38 PM - edited 03-11-2019 05:43 PM
hi,
I am running FWSM 4.1(10). I have seen recent attacks on some host for certain SIP ports in the range 5060 - 5062. In one incident there were a Million connections , it caused Memory Full issue on FWSM and it stopped passing traffic.
I am wondering what methods could be used to prevent these attacks.
•1. Is there an advantage/disadvantage of changing some of these default connection timeouts?
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout pptp-gre 0:02:00
timeout uauth 0:05:00 absolute
•2. Is it safe to reduce udp connection timeout?
•3. What value can be set for SIP timeouts and h323 timeouts to a safe value and still not disrupting?
•4. How can I limit SIP connections to say 100 connections only, is it total sip connections, or host based sip connections?
Thanks much!!!!
01-05-2013 04:32 AM
Hi,
I would refer to the below documentation if you want to limit the amount of connections on the FWSM
It seems though that when I compared the same sections for ASA and FWSM that the ASA had some additional options regarding the below configurations.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/protct_f.html#wp1065885
Sadly I cant tell you anything about setting the timeouts as I'm not really familiar with SIP in general. Personally my only options would be to ask someone else or start trying out with new values
Have you been able to monitor where the connections were initiated from? Were they from all over the world? Could there be any chance of creating an ACL rule that would partially limit this problem?
I guess someone at the forums section of
https://supportforums.cisco.com/community/netpro/collaboration-voice-video
Could also give you some tips on how to proceed as they know alot more about this area.
- Jouni
01-05-2013 12:43 PM
I wanted to get some idea if anyone has tried reducing SIP ports 5060 - 5062 time out. The other option could be limit the number of SIP connection, I would like to set it to 5000 and also time out to a low value like 10 - 15 minutes.
01-05-2013 01:14 PM
Hi,
To my understanding the document I linked explains how to define certain traffic and set connection limits and timeout only for that specific traffic.
hostname(config)# access-list SIP permit tcp any host x.x.x.x range 5060 5062
hostname(config)# access-list SIP permit udp any host x.x.x.x range 5060 5062
hostname(config)# class-map SIP
hostname(config-cmap)# match access-list SIP
hostname(config-cmap)# policy-map SIP
hostname(config-pmap)# class SIP
hostname(config-pmap-c)# set connection conn-max 5000 conn-rate-limit xxx
hostname(config-pmap-c)# set connection timeout embryonic x:x:x half-closed x:x:x
hostname(config-pmap-c)# set connection timeout idle x:x:x
hostname(config-pmap-c)# service-policy SIP interface outside
- Jouni
01-06-2013 09:42 AM
hi Jouni,
I applied the policy exactly as you have mentioned here. But for some reason there was no hitcount or connection for this policy. No ACL hits were shown. I am wondering if there is already a global policy you can not apply a policy on the interface??
access-list SIP permit tcp any any range 5060 5065
access-list SIP permit udp any any range 5060 5065
class-map SIP
match access-list SIP
class-map inspection_default
match default-inspection-traffic
!
!
policy-map SIP
class SIP
set connection conn-max 6000
set connection timeout idle 0:05:00
This is default global policy:
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect dns
FWSM# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 1232958, drop 0, reset-drop 0
Inspect: h323 h225, packet 12, drop 0, reset-drop 0
Inspect: h323 ras, packet 39043, drop 1, reset-drop 0
Inspect: netbios, packet 18570, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 242, drop 0, reset-drop 0
Inspect: sip, packet 215639, drop 3, reset-drop 0
Inspect: xdmcp, packet 10, drop 10, reset-drop 0
Inspect: dns, packet 2624017, drop 37, reset-drop 0
Interface OUTSIDE:
Service-policy: SIP
Class-map: SIP
Set connection policy: conn-max 6000
current conns 0, drop 0
Set connection timeout policy:
idle 0:05:00
Fawad
01-07-2013 02:30 PM
We had this problem as well. Here is the policy I put in place on an ASA running 8.4(x).
(edited out some specifics though).
access-list x-sip-limit extended permit udp any any range sip 5070
access-list x-sip-limit extended permit udp any range sip 5070 any
class-map class-sip-udp
match access-list x-sip-limit
policy-map outside_policy
class class-sip-udp
set connection per-client-max 1000
policy-map inside_policy
class class-sip-udp
set connection per-client-max 1000
service-policy global_policy global
service-policy outside_policy interface outside
service-policy inside_policy interface inside
#show service-policy
Interface outside:
Service-policy: outside_policy
Class-map: class-sip-udp
Set connection policy: per-client-max 1000
current conns 54, drop 5474250
Interface inside:
Service-policy: inside_policy
Class-map: class-sip-udp
Set connection policy: per-client-max 1000
current conns 15, drop 0
Graham
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: