<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Thanks Daniel,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>That clear it up a bit. For my own edification, when I get a few minutes, I’ll lab this up and throw some specific quantities of SIP packets and validate the time and density of trigger and report back. Maybe we can update the module documentation for clarity and remove some confusion.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>JR<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='color:#1F497D'>JR Richardson<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Engineering for the Masses<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Chasing the Azeotrope<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>JRx DistillCo<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>1’st Place Brisket<o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Daniel-Constantin Mierla <miconda@gmail.com> <br><b>Sent:</b> Sunday, March 22, 2020 4:37 AM<br><b>To:</b> Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>; JR Richardson <jmr.richardson@gmail.com>; SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List <sr-users@lists.sip-router.org><br><b>Subject:</b> Re: [SR-Users] Pike Module Clarification<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p>Hello,<span style='font-size:12.0pt'><o:p></o:p></span></p><p>I am not very familiar with the code as I haven't written the module, but iirc, if it is an isolated IP, then it takes 3 x sampling_time_unit to block that IP if there is traffic from it at a rate of more than 30 requests (can be even 1000+ requests).<o:p></o:p></p><p>Then, an IP can be blocked after the first sampling_time_unit if it is part of a subnetwork (/24) that has other IP addresses already blocked.<o:p></o:p></p><p>As a simple rule, any IP is blocked for sure after 3 x sampling_time_unit with higher rate than the density and is kept block if it continues to send high volume of requests.<o:p></o:p></p><p>Cheers,<br>Daniel<o:p></o:p></p><div><p class=MsoNormal>On 21.03.20 15:18, JR Richardson wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>Hi All,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Please clarify the pike settings for SIP message count, the module Doc reports:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><pre>----<o:p></o:p></pre><pre>modparam("pike", "sampling_time_unit", 10)<o:p></o:p></pre><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>modparam("pike", "reqs_density_per_unit", 30)</span><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>How many requests should be allowed per <code><span style='font-size:10.0pt'>sampling_time_unit</span></code> before blocking all the incoming request from that IP. Practically, the blocking limit is between ( let's have x=reqs_density_per_unit) x and 3*x for IPv4 addresses and between x and 8*x for IPv6 addresses.<o:p></o:p></p><p class=MsoNormal>-----<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>So the example above the SIP message rate is 30 messages within 10 seconds triggers an pike alert?<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The description I’m confused on is “Practically, the blocking ‘<b><span style='color:red'>limit is between’</span></b><span style='color:red'> </span>(let's have x=reqs_density_per_unit) x and 3*x for IPv4”<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The way this reads to me is the Pike alert could be triggered anywhere between 30 and 90 (3*30) messages within 10 second period. Am I reading this correctly? What determines when the pike trigger actually happens, could the trigger happen at say 56 messages within 10 seconds?<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Thanks.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>JR Richardson<o:p></o:p></p><p class=MsoNormal>Engineering for the Masses<o:p></o:p></p><p class=MsoNormal>Chasing the Azeotrope<o:p></o:p></p><p class=MsoNormal>JRx DistillCo<o:p></o:p></p><p class=MsoNormal>1’st Place Brisket<o:p></o:p></p><p class=MsoNormal>1’st Place Chili<o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><br><br><o:p></o:p></span></p><pre>_______________________________________________<o:p></o:p></pre><pre>Kamailio (SER) - Users Mailing List<o:p></o:p></pre><pre><a href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a><o:p></o:p></pre><pre><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><o:p></o:p></pre></blockquote><pre>-- <o:p></o:p></pre><pre>Daniel-Constantin Mierla -- <a href="http://www.asipto.com">www.asipto.com</a><o:p></o:p></pre><pre><a href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a><o:p></o:p></pre></div></body></html>