Pike module - extending the flood detection

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Pike module - extending the flood detection

Bogdan-Andrei Iancu
Hi,

The SVN trunk contains new extensions on the pike module for extending
the flood detection : (1) from checking requests only, to checking all
SIP traffic and (2) from checking the valid SIP packages to checking all
received data (even if junk).

In the new form, there are 2 ways of using this module (as detecting
flood attacks and as taking the right action to limit the impact on the
system):
     * manual - from routing script you can force the check of the
source IP of an incoming requests, using "pike_check_req" function. Note
that this checking works only for  SIP requests and you can decide
(based on scripting logic) what source IPs to be monitored and what
action to be taken when a flood is detected.
     * automatic - the module will install internal hooks to catch all
incoming requests and replies (even if not well formed from SIP point of
view) - more or less the module will monitor all incoming packages (from
the network) on the SIP sockets. Each time the source IP of a package
needs to be analyse (to see if trusted or not), the module will run a
script route - see "check_route" module parameter -, where, based on
custom logic, you can decide if that IP needs to be monitored for
flooding or not. As action, when flood is detected, the module will
automatically drop the packages. Ex:

...
modparam("pike", "check_route", "pike")
...
...
route[pike]{
    if ($si==111.222.111.222)  /*trusted, do not check this IP*/
        drop;
    /* all other IPs are checked*/
}
....


Regards,
Bogdan



_______________________________________________
Devel mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel