SIP rate limiting
Configurable threshold for SIP message rates per request method. Protects SIP servers from SIP overload and DoS attacks.
SIP rate limiting
FortiGates support rate limiting for the following types of VoIP traffic:
l Session Initiation Protocol (SIP) l Skinny Call Control Protocol (SCCP) (most versions) l Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE).
You can use rate limiting of these VoIP protocols to protect the FortiGate and your network from SIP and SCCP
Denial of Service (DoS) attacks. Rate limiting protects against SIP DoS attacks by limiting the number of SIP REGISTER and INVITE requests that the FortiGate receives per second. Rate limiting protects against SCCP
DoS attacks by limiting the number of SCCP call setup messages that the FortiGate receives per minute.
SIP rate limiting
You configure rate limiting for a message type by specifying a limit for the number of messages that can be received per second. The rate is limited per security policy. When VoIP rate limiting is enabled for a message type, if the a single security policy accepts more messages per second than the configured rate, the extra messages are dropped and log messages are written when the messages are dropped.
Use the following command to configure a VoIP profile to limit the number of INVITE messages accepted by each security policy that the VoIP profile is added to 100 INVITE messages a second:
config voip profile edit VoIP_Pro_Name config sip set invite-rate 100
end
end
If you are experiencing denial of service attacks from traffic using these VoIP protocols, you can enable VoIP rate limiting and limit the rates for your network. Limit the rates depending on the amount of SIP and SCCP traffic that you expect the FortiGate to be handling. You can adjust the settings if some calls are lost or if the amount of SIP or SCCP traffic is affecting FortiGate performance.
The table below lists all of the VoIP profile SIP rate limiting options. All of these options are set to 0 so are disabled by default.
Blocking SIP OPTIONS messages may prevent a redundant configuration from operating correctly. See Supporting geographic redundancy when blocking OPTIONS messages on page 113 for information about resolving this problem.
Options for SIP rate limiting
| SIP request message | Rate Limiting CLI Option |
| ACK | ack-rate |
| BYE | bye-rate |
| Cancel | cancel-rate |
| INFO | info-rate |
| INVITE | invite-rate |
| Message | message-rate |
| Notify | notify-rate |
| Options | options-rate |
| PRACK | prack-rate |
| Publish | publish-rate |
| SIP request message | Rate Limiting CLI Option |
| Refer | refer-rate |
| Register | register-rate |
| Subscribe | subscribe-rate |
| Update | update-rate |
Limiting the number of SIP dialogs accepted by a security policy
In addition to limiting the rates for receiving SIP messages, you can use the following command to limit the number of SIP dialogs (or SIP calls) that the FortiGate accepts.
config voip profile edit VoIP_Pro_Name config sip set max-dialogs 2000
end
end
This command sets the maximum number of SIP dialogs that can be open for SIP sessions accepted by any security policy that you add the VoIP profile to. The default setting of 0 does not limit the number of dialogs. You can add a limit to control the number of open dialogs and raise and lower it as required. You might want to limit the number of open dialogs for protection against SIP-based attackers opening large numbers of SIP dialogs. Every dialog takes memory and FortiGate CPU resources to process. Limiting the number of dialogs may improve the overall performance of the FortiGate. Limiting the number of dialogs will not drop calls in progress but may prevent new calls from connecting.