<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<div class="moz-cite-prefix">Not sure if you are aware but keep in
mind this:<br>
<br>
<span style="color: rgb(0, 0, 0); font-family: Helvetica, Arial,
sans-serif; font-size: 15px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: justify; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); text-decoration-style: initial; text-decoration-color:
initial; display: inline !important; float: none;">"The module
does not implement any actions on blocking - it just simply
reports that there is high traffic from an IP; what to do, is
the administrator decision (via scripting)"<br>
<br>
You have to script the actual blocking via a function like the
below:<br>
</span><br>
<div class="titlepage" style="color: rgb(0, 0, 0); font-family:
Helvetica, Arial, sans-serif; font-size: 15px; font-style:
normal; font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); text-decoration-style: initial; text-decoration-color:
initial;">
<div>
<div>
<h3 class="title" style="margin: 1em 0px 0.75em; padding:
0px 0px 5px 5px; color: rgb(107, 83, 68); font-weight:
bold; font-family: Scada, Helvetica, sans-serif; position:
relative; text-shadow: rgba(255, 255, 255, 0.5) 0px 2px
0px; font-size: 20px; line-height: 28px; font-style:
italic;">4.1. <span> </span><code class="function">pike_check_req()</code></h3>
</div>
</div>
</div>
<p style="font-family: Helvetica, Arial, sans-serif; text-align:
justify; color: rgb(0, 0, 0); font-size: 15px; font-style:
normal; font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal; orphans: 2;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial;">Process the source IP
of the current request and return false if the IP was exceeding
the blocking limit.</p>
<p style="font-family: Helvetica, Arial, sans-serif; text-align:
justify; color: rgb(0, 0, 0); font-size: 15px; font-style:
normal; font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal; orphans: 2;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial;">Return codes:</p>
<div class="itemizedlist" style="color: rgb(0, 0, 0); font-family:
Helvetica, Arial, sans-serif; font-size: 15px; font-style:
normal; font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); text-decoration-style: initial; text-decoration-color:
initial;">
<ul class="itemizedlist" type="disc">
<li class="listitem">
<p style="font-family: Helvetica, Arial, sans-serif;
text-align: justify;"><span class="emphasis"><em>1 (true)</em></span><span> </span>-
IP is not to be blocked or internal error occurred.</p>
<div class="warning" style="margin-left: 0.5in;
margin-right: 0.5in;">
<h3 class="title" style="margin: 1em 0px 0.75em; padding:
0px 0px 5px 5px; color: rgb(107, 83, 68); font-weight:
bold; font-family: Scada, Helvetica, sans-serif;
position: relative; text-shadow: rgba(255, 255, 255,
0.5) 0px 2px 0px; font-size: 20px; line-height: 28px;
font-style: italic;">Warning</h3>
IMPORTANT: in case of internal error, the function returns
true to avoid reporting the current processed IP as
blocked.</div>
</li>
<li class="listitem">
<p style="font-family: Helvetica, Arial, sans-serif;
text-align: justify;"><span class="emphasis"><em>-1
(false)</em></span><span> </span>- IP is source of
flooding, previously detected</p>
</li>
<li class="listitem">
<p style="font-family: Helvetica, Arial, sans-serif;
text-align: justify;"><span class="emphasis"><em>-2
(false)</em></span><span> </span>- IP is detected as a
new source of flooding - first time detection</p>
</li>
</ul>
</div>
<span style="color: rgb(0, 0, 0); font-family: Helvetica, Arial,
sans-serif; font-size: 15px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: justify; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); text-decoration-style: initial; text-decoration-color:
initial; display: inline !important; float: none;"><br>
</span><br>
On 3/22/20 11:40 AM, JR Richardson wrote:<br>
</div>
<blockquote type="cite"
cite="mid:000001d60060$3711c460$a5354d20$@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Thanks Daniel,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">That clear it
up a bit. For my own edification, when I get a few minutes,
I’ll lab this up and throw some specific quantities of SIP
packets and validate the time and density of trigger and
report back. Maybe we can update the module documentation
for clarity and remove some confusion.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">JR<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="color:#1F497D">JR Richardson<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Engineering
for the Masses<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Chasing the
Azeotrope<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">JRx DistillCo<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">1’st Place
Brisket<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Daniel-Constantin Mierla
<a class="moz-txt-link-rfc2396E" href="mailto:miconda@gmail.com"><miconda@gmail.com></a> <br>
<b>Sent:</b> Sunday, March 22, 2020 4:37 AM<br>
<b>To:</b> Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-rfc2396E" href="mailto:sr-users@lists.kamailio.org"><sr-users@lists.kamailio.org></a>; JR Richardson
<a class="moz-txt-link-rfc2396E" href="mailto:jmr.richardson@gmail.com"><jmr.richardson@gmail.com></a>; SIP Router - Kamailio
(OpenSER) and SIP Express Router (SER) - Users Mailing
List <a class="moz-txt-link-rfc2396E" href="mailto:sr-users@lists.sip-router.org"><sr-users@lists.sip-router.org></a><br>
<b>Subject:</b> Re: [SR-Users] Pike Module Clarification<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hello,<span style="font-size:12.0pt"><o:p></o:p></span></p>
<p>I am not very familiar with the code as I haven't written the
module, but iirc, if it is an isolated IP, then it takes 3 x
sampling_time_unit to block that IP if there is traffic from
it at a rate of more than 30 requests (can be even 1000+
requests).<o:p></o:p></p>
<p>Then, an IP can be blocked after the first sampling_time_unit
if it is part of a subnetwork (/24) that has other IP
addresses already blocked.<o:p></o:p></p>
<p>As a simple rule, any IP is blocked for sure after 3 x
sampling_time_unit with higher rate than the density and is
kept block if it continues to send high volume of requests.<o:p></o:p></p>
<p>Cheers,<br>
Daniel<o:p></o:p></p>
<div>
<p class="MsoNormal">On 21.03.20 15:18, JR Richardson wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Please clarify the pike settings for SIP
message count, the module Doc reports:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<pre>----<o:p></o:p></pre>
<pre>modparam("pike", "sampling_time_unit", 10)<o:p></o:p></pre>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier
New"">modparam("pike", "reqs_density_per_unit", 30)</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">How many requests should be allowed per <code><span
style="font-size:10.0pt">sampling_time_unit</span></code>
before blocking all the incoming request from that IP.
Practically, the blocking limit is between ( let's have
x=reqs_density_per_unit) x and 3*x for IPv4 addresses and
between x and 8*x for IPv6 addresses.<o:p></o:p></p>
<p class="MsoNormal">-----<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">So the example above the SIP message rate
is 30 messages within 10 seconds triggers an pike alert?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The description I’m confused on is
“Practically, the blocking ‘<b><span style="color:red">limit
is between’</span></b><span style="color:red"> </span>(let's
have x=reqs_density_per_unit) x and 3*x for IPv4”<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The way this reads to me is the Pike
alert could be triggered anywhere between 30 and 90 (3*30)
messages within 10 second period. Am I reading this
correctly? What determines when the pike trigger actually
happens, could the trigger happen at say 56 messages within
10 seconds?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">JR Richardson<o:p></o:p></p>
<p class="MsoNormal">Engineering for the Masses<o:p></o:p></p>
<p class="MsoNormal">Chasing the Azeotrope<o:p></o:p></p>
<p class="MsoNormal">JRx DistillCo<o:p></o:p></p>
<p class="MsoNormal">1’st Place Brisket<o:p></o:p></p>
<p class="MsoNormal">1’st Place Chili<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Kamailio (SER) - Users Mailing List<o:p></o:p></pre>
<pre><a href="mailto:sr-users@lists.kamailio.org" moz-do-not-send="true">sr-users@lists.kamailio.org</a><o:p></o:p></pre>
<pre><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" moz-do-not-send="true">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><o:p></o:p></pre>
</blockquote>
<pre>-- <o:p></o:p></pre>
<pre>Daniel-Constantin Mierla -- <a href="http://www.asipto.com" moz-do-not-send="true">www.asipto.com</a><o:p></o:p></pre>
<pre><a href="http://www.twitter.com/miconda" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" moz-do-not-send="true">www.linkedin.com/in/miconda</a><o:p></o:p></pre>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Technical Support
<a class="moz-txt-link-freetext" href="http://www.cellroute.net">http://www.cellroute.net</a></pre>
</body>
</html>