Natpass basic settings to control Denial of Service
Natpass DOS can be enforced by natpass application, by integrated linux firewalll (IPtables) or disabled.
Syntaxys: dos_level = dos_level
"off" - Disables Denial of Service protection.
"logonly' - Only detect suspicious activity, but not try to prevent it.
"local" - Use internal (into natpass application) tables to store all suspects and block them - prevent accepting messages from them. Would result more CPU load, but not required external service to run.
"system" - use installed and running linux 'iptables' service in the system to block attackers. Much more effective. All unwanted messages blocked by kernel with close to zero CPU power requirement. It may also protect other parts of your system (not only Natpass itself). Because it invokes external scripts (defined by sysfw_.. params) you can specify exactly what action should be taken but requieres advanced knowledge of Ip tables. All config parameters "sysfw_..." are used only when dos_level set to "system"
Syntaxys: dos_interval = interval time_to_block lite_threshold heavy_threshold rtp_threshold
"interval" - number of second, duration of one interval. Default: 5 sec
"time_to_block" - number of second to hold particular source blocked (if it's considered as a DOS attacker). Default: 300 sec
"lite_threshold" - (see faq for definition of lite attack) Number or lite messages arrived from the same source within one interval (5 sec) to trigger that source as an attacker. Default: 100
"heavy_threshold" - (See faq for definition on heavy attack). Number or heavy messages arrived from the same source within one interval to trigger that source as an attacker. Default: 50
"rtp_threshold" - number of UDP messages (regardless of is it valid RTP message or not) arrived to clients' RTP ports from unexpected source to trigger that source as an attacker. Default: 2000.
Important: If that value set to -1 then source of packets arrived to clients RTP ports is not analyzed at all, and not counting against DOS attacks; Only SIP ports are monitored for possible attacks.
Important: Of course we can analyse RTP only for calls that in Full mode (with RTP relay)
Natpass advanced settings to control Denial of Service
- Denial of Service protection
Used to protect against excesive requests coming from same source. Attacks include brute force or DOS. NATPAss uses the following settings to configure DOS protection
Syntaxys: dos_multiple = num_of_interv time_to_block lite_threshold heavy_threshold rtp_threshold
"num_of_interv" - number of single intervals described in param one of dos_interval.
Default: 5 That means 5 intervals for 5 sec each. So it takes 25 sec total to detect slow attackers
"time_to_block" - number of second to hold particular IP blocked (after it would be considered as a slow DOS attacker)
Default: 900 sec
"lite_threshold" - Number or lite messages arrived from the same source within N intervals to trigger that source as an attacker.
Default: 200
"heavy_threshold" - Number or heavy messages arrived from the same source within N intervals to trigger that source as an attacker.
Default: 100
"rtp_threshold" - number of UDP messages arrived to clients RTP ports from unexpected source to trigger that source as an attacker.
Default: 5000
Important: if last param in dos_interval set to -1, than last parm in dos_multiple is ignored.
- Distributed Denial of Service Threshold
Used to detect Distributed denial of service attacks (DDOS). Only Heavy attackers are considered.
Lite attackers could be blocked by "system" prevention type at almost zero cost.
Syntaxys: ddos_threshold = heavy_sourceIP_numbers time_to_block
"heavy_sourceIP_numbers" - number of detected different "heavy" attackers.
Default: 50
"time_to_block" - time (in sec) to set DDOS shield.
- Distributed Denial of Service Throttling"
Throttling is the number of New Registration request Per Second allowed to bypass Natpass from client toward server (Registrar)
syntaxys: throttling = Regular UnderDDOS
"Regular" - Number of new Registration per sec allowed when DDOS Shield is not set. Default: 0. Value: 0 means that throttling is turned Off, and there is no limitation.
"UnderDDOS" - Number of new Registration per sec allowed when DDOS Shield is set. Default: 20 Important. If that value set to -1, than No New Registration allowed at all.
It specifies network segment which never considered as an attacker. You may specify multiple "dos_whitelist=" lines
syntaxys: dos_whitelist = xxx.xxx.xxx.xxx/mask
Example dos_whitelist = 66.153.122.0/24
DoS/DDoS Attacks concepts:
- Lite Attack - message arrived to SIP port and was not accepted and discarted by Natpass itself.
There maybe different reason of not accepting it, like malformed message that cannot be parsed correctly (or maybe just garbage and not SIP message at all), message could be parsed correctly but sent to unknown domain and so on.
The key is that Natpass itself makes a decision to reject it - another parts of system are not involved.
- Heavy Attack - SIP message arrived to clients' SIP port, parsed correctly, forwarded to server (Proxy, Registrar) and got back from server negative response 403 (Forbidden) or 404 (Not Found)
- Avalanche effect & Throttling
Natpass requires every device to reregister every 30 sec (by default) in order to hold pinhole in clients firewall open. Let assume we have 100 thousands active devices. In regular circumstances when all registrations distributed evenly in time and every device has 3600 sec (1 hour - default in SIP) registration period, Natpass would bypass to Registrar about (100000/3600=27.77) ~30 registration per sec.
In case of recovery after network outage, box crashes, or Natpass was just restarted, all 100K devices would try to re-register within 30 sec. and that is (100000/30=3333.33) more that 3 thousand Registrations per sec bypassed to Registrar, which is in two orders of magnitude more that regular rate. Registrar may be not powerful enough to handle that traffic and could crashes itself. That is described as "Avalanche Restart" effect in RFC 5390 - Requirements for Management of Overload in SIP. That is the reason why it makes sense to set first param of "throttling=" to not zero value. That would prevent Avalanche Restart effect even when there is no DDOS attack. In production system a value of 200 is recommended, even the Registrar can handle much bigger load. Concept of "DDOS Shield" When DDOS shield is not set, any SIP messages (INVITE, OPTIONS, MESSAGE, INFO,...) bypassed from client to server w/o any limitations, regardless of registration status of the client. That maybe that devices didn't receive response for registration yet, but still allowed to place a call.
When DDOS shield is set, ONLY registered devices (Registration cached in Natpass) allowed to send anything to server. Second param in "throttling=" specifies how many new registration (from not registered devices) would be allowed to bypass Natpass toward server (Registrar) Default: 20
DDOS shield would never prevent normal SIP call flow from devices that were already registered, but significantly decrease registration attempt from new devices (possible attackers).
Set second param in "throttling=" to -1 would completely prohibit new registration while DDOS shield is set. All existing (already registered) devices may still Re-register w/o any problem. That could have a negative effect, because if legitimate device (not an attacker) lost registration it would never be able to re-register again until DOS Shield is removed. However if there is massive DDOS going on it may sense to have that param set to -1, which would at least protect all current users. That is important to understand that all of described DOS prevention parameters are dynamic and could be changed on fly w/o restart Natpass. Signal SIGHUP sent to Natpass forces it to reread config file.
Natpass basic settings to control Denial of Service
Natpass DOS can be enforced by natpass application, by integrated linux firewalll (IPtables) or disabled.
Syntaxys: dos_level = dos_level
"off" - Disables Denial of Service protection.
"logonly' - Only detect suspicious activity, but not try to prevent it.
"local" - Use internal (into natpass application) tables to store all suspects and block them - prevent accepting messages from them. Would result more CPU load, but not required external service to run.
"system" - use installed and running linux 'iptables' service in the system to block attackers. Much more effective. All unwanted messages blocked by kernel with close to zero CPU power requirement. It may also protect other parts of your system (not only Natpass itself). Because it invokes external scripts (defined by sysfw_.. params) you can specify exactly what action should be taken but requieres advanced knowledge of Ip tables. All config parameters "sysfw_..." are used only when dos_level set to "system"
Syntaxys: dos_interval = interval time_to_block lite_threshold heavy_threshold rtp_threshold
"interval" - number of second, duration of one interval. Default: 5 sec
"time_to_block" - number of second to hold particular source blocked (if it's considered as a DOS attacker). Default: 300 sec
"lite_threshold" - (see faq for definition of lite attack) Number or lite messages arrived from the same source within one interval (5 sec) to trigger that source as an attacker. Default: 100
"heavy_threshold" - (See faq for definition on heavy attack). Number or heavy messages arrived from the same source within one interval to trigger that source as an attacker. Default: 50
"rtp_threshold" - number of UDP messages (regardless of is it valid RTP message or not) arrived to clients' RTP ports from unexpected source to trigger that source as an attacker. Default: 2000.
Important: If that value set to -1 then source of packets arrived to clients RTP ports is not analyzed at all, and not counting against DOS attacks; Only SIP ports are monitored for possible attacks.
Important: Of course we can analyse RTP only for calls that in Full mode (with RTP relay)
Natpass advanced settings to control Denial of Service
Used to protect against excesive requests coming from same source. Attacks include brute force or DOS. NATPAss uses the following settings to configure DOS protection
Syntaxys: dos_multiple = num_of_interv time_to_block lite_threshold heavy_threshold rtp_threshold
"num_of_interv" - number of single intervals described in param one of dos_interval.
Default: 5 That means 5 intervals for 5 sec each. So it takes 25 sec total to detect slow attackers
"time_to_block" - number of second to hold particular IP blocked (after it would be considered as a slow DOS attacker)
Default: 900 sec
"lite_threshold" - Number or lite messages arrived from the same source within N intervals to trigger that source as an attacker.
Default: 200
"heavy_threshold" - Number or heavy messages arrived from the same source within N intervals to trigger that source as an attacker.
Default: 100
"rtp_threshold" - number of UDP messages arrived to clients RTP ports from unexpected source to trigger that source as an attacker.
Default: 5000
Important: if last param in dos_interval set to -1, than last parm in dos_multiple is ignored.
Used to detect Distributed denial of service attacks (DDOS). Only Heavy attackers are considered.
Lite attackers could be blocked by "system" prevention type at almost zero cost.
Syntaxys: ddos_threshold = heavy_sourceIP_numbers time_to_block
"heavy_sourceIP_numbers" - number of detected different "heavy" attackers.
Default: 50
"time_to_block" - time (in sec) to set DDOS shield.
Throttling is the number of New Registration request Per Second allowed to bypass Natpass from client toward server (Registrar)
syntaxys: throttling = Regular UnderDDOS
"Regular" - Number of new Registration per sec allowed when DDOS Shield is not set. Default: 0. Value: 0 means that throttling is turned Off, and there is no limitation.
"UnderDDOS" - Number of new Registration per sec allowed when DDOS Shield is set. Default: 20 Important. If that value set to -1, than No New Registration allowed at all.
It specifies network segment which never considered as an attacker. You may specify multiple "dos_whitelist=" lines
syntaxys: dos_whitelist = xxx.xxx.xxx.xxx/mask
Example dos_whitelist = 66.153.122.0/24
DoS/DDoS Attacks concepts:
There maybe different reason of not accepting it, like malformed message that cannot be parsed correctly (or maybe just garbage and not SIP message at all), message could be parsed correctly but sent to unknown domain and so on.
The key is that Natpass itself makes a decision to reject it - another parts of system are not involved.
Natpass requires every device to reregister every 30 sec (by default) in order to hold pinhole in clients firewall open. Let assume we have 100 thousands active devices. In regular circumstances when all registrations distributed evenly in time and every device has 3600 sec (1 hour - default in SIP) registration period, Natpass would bypass to Registrar about (100000/3600=27.77) ~30 registration per sec.
In case of recovery after network outage, box crashes, or Natpass was just restarted, all 100K devices would try to re-register within 30 sec. and that is (100000/30=3333.33) more that 3 thousand Registrations per sec bypassed to Registrar, which is in two orders of magnitude more that regular rate. Registrar may be not powerful enough to handle that traffic and could crashes itself. That is described as "Avalanche Restart" effect in RFC 5390 - Requirements for Management of Overload in SIP. That is the reason why it makes sense to set first param of "throttling=" to not zero value. That would prevent Avalanche Restart effect even when there is no DDOS attack. In production system a value of 200 is recommended, even the Registrar can handle much bigger load. Concept of "DDOS Shield" When DDOS shield is not set, any SIP messages (INVITE, OPTIONS, MESSAGE, INFO,...) bypassed from client to server w/o any limitations, regardless of registration status of the client. That maybe that devices didn't receive response for registration yet, but still allowed to place a call.
When DDOS shield is set, ONLY registered devices (Registration cached in Natpass) allowed to send anything to server. Second param in "throttling=" specifies how many new registration (from not registered devices) would be allowed to bypass Natpass toward server (Registrar) Default: 20
DDOS shield would never prevent normal SIP call flow from devices that were already registered, but significantly decrease registration attempt from new devices (possible attackers).
Set second param in "throttling=" to -1 would completely prohibit new registration while DDOS shield is set. All existing (already registered) devices may still Re-register w/o any problem. That could have a negative effect, because if legitimate device (not an attacker) lost registration it would never be able to re-register again until DOS Shield is removed. However if there is massive DDOS going on it may sense to have that param set to -1, which would at least protect all current users. That is important to understand that all of described DOS prevention parameters are dynamic and could be changed on fly w/o restart Natpass. Signal SIGHUP sent to Natpass forces it to reread config file.