Session lockout

To prevent exhausting its computing resources because of DOS attacks or incorrect configuration, the cMAG-c uses the session-lockout feature.

The cMAG-c locks out a client if the sum of the number of session setup failures and the number of session disconnects reaches a specific threshold within a specific time window. If a client is in the locked-out state, the cMAG-c drops all packets coming from the client for a specific duration of time. The specific duration is calculated using a minimum and maximum duration.

The threshold, time window, and the minimum and maximum duration have default values or can be configured in the session-lockout profile.

For a specific client, the initial lockout duration is the minimum duration. When this duration ends, the cMAG-c puts the client in the suspect state for a duration equal to the time window. While the client is in the suspect state, the cMAG-c acts as follows:

The cMAG-c processes packets from the client.
If a setup failure or disconnect occurs, the cMAG-c locks out the client for a duration of twice the previous lockout duration, capped at the maximum duration.
If there is no setup failure or disconnect, the client recovers from the suspect state. The next lockout duration is reset to the minimum duration and the number of allowed session failures and disconnects is reset to the configured threshold.

To remove the locked-out or suspect state from a client, use the following command.

tools subscriber-management session-lockout clear

Session lockout is enabled by default using the default configuration values of the session-lockout profile. For more information, see cMAG-c CLI and Data Model Explorer. See Configuring and applying a session-lockout profile to configure customer-specific values in a session-lockout profile.

Note: Nokia recommends to keep the session-lockout feature enabled.

See Disable session lockout to disable session lockout.

Configuring and applying a session-lockout profile

To enable the session-lockout feature with customer-defined values, configure a session-lockout profile in the BNG EP.

Session lockout is enabled by default using default values. To configure customer-specific values, use the following steps.

Define a session-lockout profile.

subscriber-management profiles session-lockout-profile

The profile includes:

failure-count – threshold
window – time window
min-block-duration – minimum lockout duration
max-block-duration – maximum lockout duration

# info from running with-context /subscriber-management profiles session-lockout-profile
    subscriber-management {
        profiles {
            session-lockout-profile slp {
                attempts {
                    window 30
                    failure-count 10
                }
                min-block-duration 30
                max-block-duration 90
            }
        }
    }

In the BNG EP entry, reference the session-lockout profile that you configured in the preceding step. The referenced session-lockout profile is applicable for sessions that match this BNG EP entry.

subscriber-management entry-point entry session-lockout-profile

# info from running with-context /subscriber-management entry-point ep entry e session-lockout-profile
    subscriber-management {
        entry-point ep {
            entry e {
                session-lockout-profile {
                    profile slp
                }
            }
        }
    }

Disable session lockout

Note: Nokia recommends to keep the session-lockout feature enabled.

To disable the session-lockout feature, use the following command.

subscriber-management entry-point entry session-lockout-profile

# info from running with-context /subscriber-management entry-point ep entry e session-lockout-profile
    subscriber-management {
        entry-point ep {
            entry e {
                session-lockout-profile {
                    disabled
                }
            }
        }
    }