Message flood protection
The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or attempting to overload the network with an excess of messages. MMS flood prevention can help prevent this type of abuse.
Overview
Flood protection for MM1 messages prevents your subscribers from sending too many messages to your MMSC. Configuring flood protection for MM4 messages prevents another service provider from sending too many messages from the same subscriber to your MMSC.
MM1 and MM4 flood protection
The FortiOS Carrier unit keeps track of the number of messages each subscriber sends for the length of time you specify. If the number of messages a subscriber sends exceeds the threshold, a configured action is taken. Possible actions are logging the flood, blocking or intercepting messages in the flood, archiving the flood messages, and sending an alert message to inform the administrator that the flood is occurring.
You can create three different thresholds to take different levels of action at different levels of activity.
With this highly configurable system, you can prevent subscribers from sending more messages than you determine is acceptable, or monitor anyone who exceeds the thresholds.
Setting message flood thresholds
A message flood occurs when a single subscriber sends a volume of messages that exceeds the flood threshold you set. The threshold defines the maximum number of messages allowed, the period during which the subscriber sent messages are considered, and the length of time the sender is restricted from sending messages after a flood is detected.
If a subscriber exceeds the message flood threshold and is blocked from sending more messages, any further attempts to send messages will re-start the block period. You must also enable logging for MMS Scanning > Bulk Messages in the Logging section of the MMS protection profile.
Example
For example, for the first threshold you may determine that any subscriber who sends more than 100 MM1 messages in an hour (60 minutes) will have all messages blocked for half an hour (30 minutes).
Using this example, if the subscriber exceeds the flood threshold, they are blocked from sending message for 30 minutes. If the subscriber tries to send any message after 15 minutes, the message will be blocked and the block period will be reset again to 30 minutes. The block period must expire with no attempts to send a message. Only then will the subscriber be allowed to send more messages.
To configure MM1 message flood threshold – web-based manager
- Go to Security Profiles > MMS Profile.
- Select Create New.
- Enter MM1 flood for Profile Name.
- Expand MMS Bulk Email Filtering Detection.
- Enter the following information, and select OK.
MM1 (first column) |
|
Enable |
Enable |
Message Flood Window |
60 minutes |
Message Flood Limit |
100 |
Message Flood Block Time |
30 minutes |
Message Flood Action |
Block |
To configure MM1 message flood threshold – CLI
config firewall mms-profile edit profile_name config flood mm1 set status1 enable set window1 60
set limit1 100 set action1 block set block-time1 30
end
end
The threshold values that you set for your network will depend on factors such as how busy your network is and the kinds of problems that your network and your subscribers encounter. For example, if your network is not too busy you may want to set message flood thresholds relatively high so that only an exceptional situation will exceed a flood threshold. Then you can use log messages and archived MMS messages to determine what caused the flood.
If your subscribers are experiencing problems with viruses that send excessive amounts of messages, you may want to set thresholds lower and enable blocking to catch problems as quickly as possible and block access to keep the problem from spreading.
Flood actions
When the Carrier-enabled FortiGate unit detects a message flood, it can take any combination of the five actions that you can configure for the flood threshold. For detailed options, see Message Flood.
Notifying administrators of floods
You can configure alert notifications for message floods by selecting the Alert Notification message flood action.
The FortiOS Carrier unit sends alert notifications to administrators using the MM1, MM3, MM4, or MM7 content interface. To send an alert notification you must configure addresses and other settings required for the content interface.
For example, to send notifications using the MM1 content interface you must configure a source MSISDN, hostname, URL, and port to which to send the notification. You can also configure schedules for when to send the notifications.
Finally you can add multiple MSISDN numbers to the MMS protection profile and set which flood thresholds to send to each MSISDN.
Example — three flood threshold levels with different actions for each threshold
You can set up to three threshold levels to take different actions at different levels of activity.
The first example threshold records log messages when a subscriber’s handset displays erratic behavior by sending multiple messages using MM1 at a relatively low threshold. The erratic behavior could indicate a problem with the subscriber’s handset. For example, you may have determined for your network that if a subscriber sends more the 45 messages in 30 minutes that you want to record log messages as a possible indication or erratic behavior.
From the web-based manager in an MMS profile set message Flood Threshold 1 to:
Enable |
Selected |
Message Flood Window |
30 minutes |
Message Flood Limit |
45 |
Message Flood Action |
Log |
|
|
|
From the CLI:
config firewall mms-profile edit profile_name config flood mm1 set status1 enable set window1 30 set limit1 45 set action1 log
end
end
Set a second higher threshold to take additional actions when a subscriber sends more that 100 messages in 30 minutes. Set the actions for this threshold to log the flood, archive the message that triggered the second threshold, and block the sender for 15 minutes.
From the web-based manager in an MMS profile set message Flood Threshold 2 to:
Enable |
Selected |
Message Flood Window |
30 minutes |
Message Flood Limit |
100 |
Message Block Time |
15 minutes |
Message Flood Action |
Log, DLP archive First message only, Block |
From the CLI:
config firewall mms-profile edit profile_name config flood mm1 set status2 enable set window2 30 set limit2 100
set action2 block log archive-first set block-time2 15
end
end
Set the third and highest threshold to block the subscriber for an extended period and sand an administrator alert if the subscriber sends more than 200 messages in 30 minutes. Set the actions for this threshold to block the sender for four hours (240 minutes), log the flood, archive the message that triggered the third threshold, and send an alert to the administrator.
From the web-based manager in an MMS profile set message Flood Threshold 3 to:
Enable |
Selected |
Message Flood Window |
30 minutes |
Message Flood Limit |
200 |
Message Block Time |
240 minutes |
Message Flood Action |
Log, Block, Alert Notification |
Because you have selected the Alert Notification action you must also configure alert notification settings. For this example, the source MSISDN is 5551234—telephone number 555-1234. When administrators receive MMS messages from this MSIDSN they can assume a message flood has been detected.
In this example, alert notifications are sent by the FortiOS Carrier unit to the MMSC using MM1. The host name of the MMSC is mmscexample, the MMSC URL is /, and the port used by the MMSC is 80. In this example, the alert notification window starts at 8:00am and extends for eight hours on weekdays (Monday-Friday) and the minimum interval between message flood notifications is two hours.
Source MSISDN |
5551234 |
Message Protocol |
MM1 |
Hostname |
mmscexample |
URL |
/ |
Port |
80 |
Notifications Per Second Limit |
0 |
Window Start Time |
8:00 |
Window Duration |
8:00 |
Day of Week |
Mon, Tue, Wed, Thu, Fri, Sat |
Interval |
2 hours |
From the CLI:
config firewall mms-profile edit profile_name config notification alert-flood-1 set alert-src-msisdn 5551234 set msg-protocol mm1 set mmsc-hostname mmscexample
set mmsc-url / set mmsc-port 80 set rate-limit 0 set tod-window-start 8:00 set tod-window-duration 8:00
set days-allowed monday tuesday wednesday thursday friday set alert-int 2 set alert-int-mode hours
end
You must also add the MSISDNs of the administrators to be notified of the message flood. In this example, the administrator flood threshold 3 alert notifications are sent to one administrator with MSISDN 5554321.
To add administrator’s MSISDNs for flood threshold 3 from the web-based manager when configuring a protection profile, select MMS Bulk Email Filtering Detection > Recipient MSISDN > Create New.
MSISDN |
5554321 |
Flood Level 3 |
Select |
From the CLI:
config firewall mms-profile edit profile_name config notif-msisdn edit 5554321 set threshold flood-thresh-3
end
end
Notifying message flood senders and receivers
The FortiOS Carrier unit does not send notifications to the sender or receiver that cause a message flood. If the sender or receiver is an attacker and is explicitly informed that they have exceeded a message threshold, the attacker may try to determine the exact threshold value by trial and error and then find a way around flood protection. For this reason, no notification is set to the sender or receiver.
However, FortiOS Carrier does have replacement messages for sending reply confirmations to MM1 senders and receivers and for MM4 senders for blocked messages identified as message floods. For information about how FortiOS Carrier responds when message flood detection blocks a message, see and MMS duplicate messages and message floods.
Responses to MM1 senders and receivers
When the FortiOS Carrier unit identifies an MM1 message sent by a sender to an MMSC as a flood message and blocks it, the FortiOS Carrier unit returns a message submission confirmation (m-send.conf) to the sender — otherwise the sender’s handset would keep retrying the message. The m-send.conf message is sent only when the MM1 message flood action is set to Block. For other message flood actions the message is actually delivered to the MMSC and the MMSC sends the m-send.conf message.
You can customize the m-send.conf message by editing the MM1 send-conf flood message MM1 replacement message (from the CLI the mm1-send-conf-flood replacement message). You can customize the response status and message text for this message. The default response status is “Content not accepted”. To hide the fact that FortiOS Carrier is responding to a flood, you can change the response status to “Success”. The default message text informs the sender that the message was blocked. You could change this to something more generic.
For example, the following command sets the submission confirmation response status to “Success” and changes the message text to “Message Sent OK”:
config system replacemsg mm1 mm1-send-conf-flood set rsp-status ok set rsp-text “Message Sent OK”
end
When the FortiOS Carrier unit identifies an MM1 message received by a receiver from an MMSC as a flood message and blocks it, the FortiOS Carrier unit returns a message retrieval confirmation (m-retrieve.conf) to the sender (otherwise the sender’s handset would keep retrying the message). The m-retrieve.conf message is sent only when the MM1 message flood action is set to Block. For other message flood actions the message is actually delivered to the receiver, so the MMSC sends the m-retrieve.conf message.
You can customize the m-retrive.conf message by editing the MM1 retrieve-conf flood message MM1 replacement message (from the CLI the mm1-retr-conf-flood replacement message). You can customize the class, subject, and message text for this message.
For example, you could use the following command make the response more generic:
config system replacemsg mm1 mm1-retr-conf-flood set subject “Message blocked”
set message “Message temporarily blocked by carrier”
end
Forward responses for MM4 message floods
When the FortiOS Carrier unit identifies an MM4 message as a flood message and blocks it, the FortiOS Carrier unit returns a message forward response (MM4_forward.res) to the forwarding MMSC (otherwise the forwarding MMSC would keep retrying the message). The MM4_forward.res message is sent only when the MM4 message flood action is set to Block and the MM4-forward.req message requested a response. For more information, see and MMS duplicate messages and message floods.
You can customize the MM4_forward.res message by editing the MM4 flood message MM4 replacement message (from the CLI the mm4-flood replacement message). You can customize the response status and message text for this message. The default response status is “Content not accepted” (err-content-notaccept). To hide the fact that the FortiOS Carrier unit is responding to a flood, you can change the response status to “Success”. The default message text informs the sender that the message was blocked. You could change this to something more generic.
For example, the following command sets the submission confirmation response status to “Success” and changes the message text to “Message Sent OK” for the MM4 message forward response
config system replacemsg mm4 mm4-flood set rsp-status ok
set rsp-text “Message Forwarded OK”
end
Viewing DLP archived messages
If DLP Archive is a selected message flood action, the messages that exceed the threshold are saved to the MMS DLP archive. The default behavior is to save all of the offending messages, but you can configure the DLP archive setting to save only the first message that exceeds the threshold. This still provides a sample of the offending messages without requiring as requiring as much storage.
To select only the first message in a flood for DLP archiving – web-based manager
- Go to Security Profiles > MMS Profile.
- Edit an existing MMS Profile.
- Expand the MMS Bulk Email Filtering Detection section, the Message Flood subsection, and the desired Flood Threshold
- Next to DLP Archive, select First message only from the drop down menu.
- Select OK.