<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<p>Hello,</p>
<p>I am not very familiar with the code as I haven't written the
module, but iirc, if it is an isolated IP, then it takes 3 x
sampling_time_unit to block that IP if there is traffic from it at
a rate of more than 30 requests (can be even 1000+ requests).</p>
<p>Then, an IP can be blocked after the first sampling_time_unit if
it is part of a subnetwork (/24) that has other IP addresses
already blocked.</p>
<p>As a simple rule, any IP is blocked for sure after 3 x
sampling_time_unit with higher rate than the density and is kept
block if it continues to send high volume of requests.</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div class="moz-cite-prefix">On 21.03.20 15:18, JR Richardson wrote:<br>
</div>
<blockquote type="cite"
cite="mid:000001d5ff8b$89706840$9c5138c0$@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please clarify the pike settings for SIP
message count, the module Doc reports:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<pre>----<o:p></o:p></pre>
<pre>modparam("pike", "sampling_time_unit", 10)<o:p></o:p></pre>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier New"">modparam("pike",
"reqs_density_per_unit", 30)<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">How many requests should be allowed per <code><span
style="font-size:10.0pt">sampling_time_unit</span></code>
before blocking all the incoming request from that IP.
Practically, the blocking limit is between ( let's have
x=reqs_density_per_unit) x and 3*x for IPv4 addresses and
between x and 8*x for IPv6 addresses.<o:p></o:p></p>
<p class="MsoNormal">-----<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So the example above the SIP message rate
is 30 messages within 10 seconds triggers an pike alert?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The description I’m confused on is
“Practically, the blocking ‘<b><span style="color:red">limit
is between’</span></b><span style="color:red"> </span>(let's
have x=reqs_density_per_unit) x and 3*x for IPv4”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The way this reads to me is the Pike alert
could be triggered anywhere between 30 and 90 (3*30) messages
within 10 second period. Am I reading this correctly? What
determines when the pike trigger actually happens, could the
trigger happen at say 56 messages within 10 seconds?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">JR Richardson<o:p></o:p></p>
<p class="MsoNormal">Engineering for the Masses<o:p></o:p></p>
<p class="MsoNormal">Chasing the Azeotrope<o:p></o:p></p>
<p class="MsoNormal">JRx DistillCo<o:p></o:p></p>
<p class="MsoNormal">1’st Place Brisket<o:p></o:p></p>
<p class="MsoNormal">1’st Place Chili<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a></pre>
</body>
</html>