We'd love to hear about it! Click here to go to the product suggestion community
I have already open a few cases to support but not much help was provided. Which is why i am here. Here's the Infra details of our customer.
they have a self hosting VOIP in their infra. Right now they are experiencing SIP call attacks.
On the outgoing side, Customer request the VOIP to go out through specific IP. Hence the outbound address.
same here for Incoming.
i am not sure if Traffic shaping will help or not. but the current situation that we are facing is, SIP calls would be attacked.
SIP ALG has been unloaded as well.. Would anyone has any tips or suggestion?
instead of having ANY in your WAN network limit the network tot he FQDN of your SIP provider or the IP address ranges they use.
Hi VSA Support Could you please PM me the service request number raised with support? It would help us to check the history of the case and allow us to assist you better.
In reply to Keyur:
Here is one of the caseID92029269567224
In reply to rfcat_vk:
we can't put WAN as ANY, because that is for anyone from the outside to call in.Since they do not have a dedicated Provider for the SIP. instead they are hosting the VOIP by themselves.
FYI, this is for Video call use.
In reply to VSA Support:
Hi VSA Support Thank you for providing service request numbers, I will check them, meanwhile could you please provide a network diagram or packet flow of SIP traffic.
HI VSA Support Is there any IPS policy applied on the WAN to LAN firewall rule because opening SIP port for ANY on WAN source can attract traffic from anywhere and port is opened to listen it will allow traffic to destination server behind the firewall.
Unfortunately i don't have the packet flow for the SIP traffic.
But as for the Network Diagram, you could refer below.
Video Call -> L1 Switch -> Firewall -> ISP
i just applied the IPS for this WAN to LAN rule. but our customer still saying that, they are receiving calls (SIP attack)
Here's the IPS settings.
Hi VSA Support As per my understanding, you have LAN to WAN firewall rule for Outbound SIP Connection and WAN to LAN for Inbound connection and as you have opened the connection for ANY for WAN zone, the firewall will allow the traffic, if you have specific IPs detected, you can ask your ISP to block them.
For complete security, you have applied recommended settings in the SIP server as well or host-based security, IPS policy on LAN to WAN and WAN to LAN firewall rule in the firewall. You have to restrict the incoming traffic by specifying networks for WAN.Apply DOS setting for UDP flood based on your SIP traffic.
sorry for the late reply, So far we are just dropping the attacker's IP from firewall.
KeyurApply DOS setting for UDP flood based on your SIP traffic.
Are you referring to the IPS side?