Cisco Cisco Packet Data Interworking Function (PDIF)
CSCF Security Configuration Mode Commands
per-ip-failure-limit ▀
Command Line Interface Reference, StarOS Release 18 ▄
3285
per-ip-failure-limit
Sets a failure limit that, when exceeded, causes the suspension of registration attempts for the offending IP address.
Important:
The system will ignore the configuration of this command unless the
dos-prevention
command
has been enabled.
Product
SCM (P-CSCF, A-BG)
Privilege
Security Administrator, Administrator
Mode
Exec > Global Configuration > Context Configuration > CSCF Service Configuration > Proxy-CSCF Configuration >
CSCF Security Configuration
CSCF Security Configuration
configure > context context_name > cscf service service_name > proxy-cscf > security-
parameters
parameters
Entering the above command sequence results in the following prompt:
[context_name]host_name(config-security-parameters)#
Syntax
per-ip-failure-limit limit
default per-ip-failure-limit
default
Sets/restores the default value assigned to the specified command.
limit
Default: 100
Defines the threshold for registration failures based on a calculation using weighted multipliers defined in
Defines the threshold for registration failures based on a calculation using weighted multipliers defined in
auth-failure-weight
and
bad-request-weight
.
limit
must be an integer from 5 to 10,000.
Usage
Use this command to set a failure limit for registration attempts from an identified IP address. The following
calculation determines when this threshold is reached for any IP address:
Current authorization failures ÷
calculation determines when this threshold is reached for any IP address:
Current authorization failures ÷
auth-failure-weight
= current failures per AoR
or
Total bad registration requests ÷
Total bad registration requests ÷
bad-request-weight
= current failures per AoR
If
auth-failure-weight
=
2
and
bad-request-weight
=
1
, and the
per-ip-failure-limit
=
200
,
then the tolerance for registration authentication failures = 100 per each IP address and the tolerance for bad
registration requests = 200 per each IP address.
When an IP address reaches the failure limit, it is added to a “grey list” for a period of time as defined by the
registration requests = 200 per each IP address.
When an IP address reaches the failure limit, it is added to a “grey list” for a period of time as defined by the
greylist-duration
command.