Example: Configuring SIP ALG DoS Attack Protection

This example shows how to configure the DoS attack protection feature.

Requirements

Before you begin, review the DoS attack protection feature used to control SIP call activity. See Understanding SIP ALG DoS Attack Protection.

Overview

The ability of the SIP proxy server to process calls can be impacted by repeat SIP INVITE requests—requests that the server initially denied. The DoS protection feature enables you to configure the device to monitor INVITE requests and proxy server replies to them.

In this example, the device is configured to protect a single SIP proxy server (1.1.1.3) from repeat INVITE requests to which it has already been denied service. Packets are dropped for a period of 5 seconds, after which the device resumes forwarding INVITE requests from those sources.

Configuration

J-Web Quick Configuration

Step-by-Step Procedure

To configure SIP ALG attack protection:

1. Select Configure>Security>ALG.
2. Select the SIP tab.
3. In the Enable attack protection area, click the Selected servers option.
4. In the Destination IP box, enter 1.1.1.3 and click Add.
5. Click OK to check your configuration and save it as a candidate configuration.
6. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure

To configure SIP ALG attack protection:

1. Configure the device to protect a single SIP proxy server.
   [edit]user@host# set security alg sip application-screen protect deny destination-ip 1.1.1.3
2. Configure the device for the deny timeout period.
   [edit]user@host# set security alg sip application-screen protect deny timeout 5
3. If you are done configuring the device, commit the configuration.
   [edit]user@host# commit

Verification

To verify the configuration is working properly, enter the show security alg sip command.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• SIP ALG Configuration Overview
• Verifying SIP ALG Configurations