Mitigating DDOS attacks from carrier based on ani or dnis by limitating cps or blocking when detecting
Hi is there any way to use pike and htable to mitigate ddos or flood attack from trusted trunks.
I need help to build it the same way kamailio control registrations.
Case a carrier trunk star calling several users from the system to more than 50 CPS(calls per second), it will affect the system but cannot block the trunk since it is pstn traffic coming from a sip provider, therefore we need to find a way to identify this traffic based on ANI or DNIS or any other header and then blocked for a time just like pike does with registrations, then start the cycle all over.
in less words make kamailio be aware of invite request rate, then verify that is from the same source means ani or dnis then tagged as bad traffic them star dropping it for a specified time, while normal traffic still flowing unaffected.
any recommendations will be highly appreciated.
thank you
May I humbly suggest the very flexible pipelimit module?
On 09/08/2016 12:12 AM, anfecora wrote:
Hi is there any way to use pike and htable to mitigate ddos or flood attack from trusted trunks.
I need help to build it the same way kamailio control registrations.
Case a carrier trunk star calling several users from the system to more than 50 CPS(calls per second), it will affect the system but cannot block the trunk since it is pstn traffic coming from a sip provider, therefore we need to find a way to identify this traffic based on ANI or DNIS or any other header and then blocked for a time just like pike does with registrations, then start the cycle all over.
in less words make kamailio be aware of invite request rate, then verify that is from the same source means ani or dnis then tagged as bad traffic them star dropping it for a specified time, while normal traffic still flowing unaffected.
any recommendations will be highly appreciated.
thank you
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
THanks Alex, do you think i can do something like where i check $FU reaching the rate limit then blocket somehow for a few minutes.
thank you, I apreciate your help.
# perform pipe match for INVITE
if (is_method("INVITE")) { $var(invlimit) = 10; if (!pl_check("$fU", "TAILDROP", "$var(invlimit)")) { pl_drop(); exit; } }
On Wed, Sep 7, 2016 at 9:23 PM, Alex Balashov abalashov@evaristesys.com wrote:
May I humbly suggest the very flexible pipelimit module?
On 09/08/2016 12:12 AM, anfecora wrote:
Hi is there any way to use pike and htable to mitigate ddos or flood
attack from trusted trunks.
I need help to build it the same way kamailio control registrations.
Case a carrier trunk star calling several users from the system to more than 50 CPS(calls per second), it will affect the system but cannot block the trunk since it is pstn traffic coming from a sip provider, therefore we need to find a way to identify this traffic based on ANI or DNIS or any other header and then blocked for a time just like pike does with registrations, then start the cycle all over.
in less words make kamailio be aware of invite request rate, then verify that is from the same source means ani or dnis then tagged as bad traffic them star dropping it for a specified time, while normal traffic still flowing unaffected.
any recommendations will be highly appreciated.
thank you
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 (direct) / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On 09/08/2016 01:00 AM, anfecora wrote:
THanks Alex, do you think i can do something like where i check $FU reaching the rate limit then blocket somehow for a few minutes.
Absolutely! I think you have the right idea.
-
Alex Balashov -
anfecora