This could be improved by profiling the traffic per customer and pike it accordingly.
Adrian On Nov 3, 2010, at 6:23 PM, Flavio Goncalves wrote: > Hi Saul, > > I did like your solution. My only concern about Pike was to block > legitimate traffic. A SIP dialer can easily get to the pike threshold, > but doing pike_check_req() just for register, options and bye requests > seems to avoid this. > > The only "but" is, the attack can also be done using INVITE and using > Pike with INVITE can make you drop legitimate traffic, my initial > concern. I think, that detecting authentication requests with wrong > passwords or inexistent users is still the most generic solution. Just > an opinion. > > Best regards, > > Flavio E. Goncalves > CEO - V.Office > OpenSIPS Bootcamp (New Jersey, NY Nov. 15-19) > > > > > 2010/11/3 Saúl Ibarra Corretgé <s...@ag-projects.com>: >> On 11/03/2010 04:00 PM, Hung Nguyen wrote: >>> Hi all, thanks for reply. >>> >>> I have tested with pike module. It is very simple. >>> >>> ------ >>> modparam("pike", "sampling_time_unit", 3) >>> modparam("pike", "reqs_density_per_unit", 20) >>> >>> if (method = 'REGISTER | OPTION | BYE') { >>> if (!pike_check_req()) { >>> #TODO: do anything if you want >>> drop(); >>> exit; >>> } >>> } >>> ------ >>> >>> I tested with sipvicious, about 5 second pike detect flood => drop >>> packet or send 200 OK for register (svcrash.py will stop). >>> You can be blook flooding with any method. >>> >> >> Take into account that with pike module you are dropping the packets at >> the application level, but they still enter the system. As the pike >> module also generates syslog messages, you may want to use them in >> combination with some other tool in order to block the traffic with >> iptables, for example. >> >> >> Regards, >> >> -- >> Saúl Ibarra Corretgé >> AG Projects >> >> _______________________________________________ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users