Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Rate and Path Rate Limiting for GTP Control Messages

Learn how to apply GTP-C rate limiting, path rate limiting to control forward and reverse control-message traffic and protect GSNs from flooding attacks.

Rate Limiting for GTP Control Messages

You can configure the device to limit the rate of network traffic going to a GPRS support node (GSN). You can set separate thresholds, in packets per second, for GGSN tunneling protocol, control (GTP-C) messages. Because GTP-C messages require processing and replies, they can potentially overwhelm a GSN. By setting a rate limit on GTP-C messages, you can protect your GSNs from possible denial-of-service (DoS) attacks such as the following:

  • Border gateway bandwidth saturation—A malicious operator connected to the same GPRS Roaming Exchange (GRX) as your public land mobile network (PLMN) can direct so much network traffic at your border gateway that legitimate traffic is starved for bandwidth in or out of your PLMN, thus denying roaming access to or from your network.

  • GTP flood—GTP traffic can flood a GSN, forcing it to spend its CPU cycles processing illegitimate data. This can prevent subscribers from roaming and forwarding data to external networks, and it can prevent a General Packet Radio Service (GPRS) from attaching to the network.

This feature limits the rate of traffic sent to each GSN from the Juniper Networks device. The default rate is unlimited.

Path Rate Limiting for GTP Control Messages

The path-rate-limit function controls specific GTP messages in both the forward and reverse directions. You can configure a drop threshold and an alarm threshold for each control message in the forward and reverse directions for one path. If the control messages on one path reach the alarm threshold, an alarm log is generated. If the number of control messages received reaches the drop threshold, a packet drop log is generated and all other control messages of this type received later are dropped.

To control message traffic in the forward and reverse directions, configure a policy on the device such that the direction that is consistent with the configured policy is defined as forward, and the opposite direction is defined as reverse. Use the set security gtp profile <profile-name> path-rate-limit command to restrict the maximum packets per second for specific control messages on a path.

You can configure both the rate-limit and the path-rate-limit options at the same time.

Use Feature Explorer to confirm platform and release support for specific features.

Review the Platform-Specific GTP Message Rate Limiting Behavior section for notes related to your platform.

Example: Limiting the Message Rate and Path Rate for GTP Control Messages

This example shows how to limit the message rate and the path rate for GTP control messages. The rate-limit option limits the GTP messages per second and the path-rate-limit option controls specific GTP messages in both the forward and reverse directions.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you limit the rate of incoming GTP messages to 300 packets per second and you limit the path rate for GTP control messages in both the forward and reverse directions. You configure the device to limit the rate of network traffic going to a GSN, and you restrict the maximum packets per second or per minute for specific control messages on a path. For create-req, delete-req, and other GTP messages, you restrict the maximum packets per second. However, for an echo-req GTP message, you restrict the maximum packets per minute.

The path-rate-limit function controls specific GTP messages in both the forward and reverse directions. Configure the alarm-threshold parameter to configure the device to raise an alarm when the GTP control messages on a path have reached the configured limit. Configure the drop-threshold to drop traffic when the number of packets per second or per minute exceeds the configured limit.

Configuration

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure the GTP message rate and path rate limit:

  1. Specify the GTP profile.

  2. Set the GTP message rate limit.

  3. Specify the message type to set the path rate limit for GTP control messages.

  4. Select GTP control message types.

  5. Set the alarm threshold for the GTP control message types.

  6. Limit the control messages in the forward direction.

  7. Limit the control messages in the reverse direction.

  8. Set the drop threshold for the GTP control message types.

  9. Limit the control messages in the forward direction.

  10. Limit the control messages in the reverse direction.

Results

From configuration mode, confirm your configuration by entering the show security gtp profile profile-name command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verify the Configuration

Purpose

Verify that the GTP message rate and path rate limit configuration is correct.

Action

From operational mode, enter the show security gtp counters path-rate-limit command.

Meaning

The show security gtp counters path-rate-limit command displays the number of packets received since the alarm threshold or the drop threshold value was reached. If you configure the alarm-threshold value as 50 and the drop-threshold value as 80 for the Create Request message, and if the device receives 100 packets in a second or minute, then the Drop number will be 20 and the Alarm number will be 50.

Example: Enable GTP Sequence Number Validation

This example shows how to enable GTP sequence number validation feature.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you set the gtp profile as gtp1 and you also enable the sequence number validation feature.

Configuration

Step-by-Step Procedure

To enable GTP sequence number validation feature:

  1. Set the GTP profile.

  2. Enable the sequence number validation.

  3. If you are done configuring the device, commit the configuration.

Platform-Specific GTP Message Rate Limiting Behavior

Use Feature Explorer to confirm platform and release support for specific features.

Use the following table to review platform-specific storage media behaviors for your platform:

Platform

Difference

SRX Series
  • SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices that support rate limiting of GTP control messages, support limiting the maximum packets per second for GTP control messages such as create-req and delete-req. These platforms also support limiting the maximum packets per minute for echo-req GTP messages.