In modern telephony networks, media switching and call control functionality are separated. Call control, which includes setting up and tearing down calls and maintaining call state machines, is performed by a network entity referred to as a media gateway controller (MGC). Media stream switching, which includes switching media packets between input and output ports and converting the media packets into the appropriate formats for the sending and receiving parties, is performed by a media gateway (MG). Media gateway controllers communicate call control information to media gateways via a media gateway control protocol.
Typical media gateway control protocols, such as MGCP and MEGACO, include commands for communicating information about each endpoint of a session to the media gateway and instructing the media gateway as to how to process packets to be delivered to each endpoint.
FIG. 1 is a schematic diagram illustrating voice sessions between media gateways 100, 102, 104, and 106 interconnected through an IP network 108. Media gateways 100, 102, 104, and 106 may be connected through IP network 108 via multiple paths through a series of next-hop routers. Multiple bidirectional voice sessions may be set up between any two or more of media gateways 100, 102, 104, and 106. As voice packets are received at a media gateway (ingress packets) or exit the media gateway (egress packets), the particular session that a packet belongs to must be identified for proper delivery and/or processing of the packet. The process of assigning a packet to a particular session to which it belongs is commonly referred to as packet classification.
FIG. 2 is a schematic diagram illustrating an exemplary media gateway 200. Referring to FIG. 2, media gateway 200 includes a control manager 202, a resource manager 204, a packet switch fabric 206, voice servers 208, and network interfaces 210. Each voice server 208 contains voice processing resources for processing VoIP and TDM voice streams.
For example, each voice server 208 may include codecs, VoIP, ATM, and TDM chips, and digital signal processing resources for processing VoIP streams. A detailed description of exemplary resources that may be found in voice server 208 can be found in commonly assigned, co-pending U.S. patent application Ser. No. 10/676,233, the disclosure of which is incorporated herein by reference in its entirety.
Control manager 202 of media gateway 200 controls the overall operation of media gateway 200 and communicates with media gateway controller 212 to set up and tear down calls. Resource manager 204 of control manager 202 allocates new voice sessions to incoming calls. For example, resource manager 204 may assign one of voice servers 208 to a session and store session information for the session in a session table 214 in a memory. Session table 214 is then regularly accessed to classify ingress and egress packets to the appropriate sessions. Although session table 214 is shown logically as a single entity, session tables 214 may actually be distributed among, and accessed by, network interfaces 210, as will be discussed further below.
Voice servers 208 are each assigned individual IP addresses and are each reachable through packet switch fabric 206 via any of network interfaces 210. Multiple sessions may be processed by the same voice server 208. Furthermore, multiple sessions may be established between a given network interface 210 and a given voice server 208 through the packet switch fabric 206. Network interfaces 210 are also each assigned individual IP addresses. The traffic rate for a given voice server 208 or network interface 210 should not be exceeded to avoid degrading the voice quality of calls, or worse, overloading the media gateway 200.
A denial of service attack may be launched against media gateway 200 by flooding the media gateway with packets, thereby reducing the call handling capacity, or even overloading the media gateway 200. For example, a flood of packets addressed to a network interface 210 may be received from a source, such as a computer operated by malicious attacker with the goal of impairing media gateway 200. Conventionally, such attacks results in a temporary impairment or disabling of media gateway 200 until the source can be blocked by a network operator determining the source and manually adding the source to an access control list (ACL) to deny access to the source and prevent against future attacks. It would be advantageous to automatically detect excessive IP traffic from a source IP address or addresses and dynamically update an ACL and with the source IP address. Such capabilities, however, do not exist in current media gateway architectures.
Accordingly, a need exists for automatic denial of service protection in a media gateway.