[sr-dev] git:master: kamailio.cfg: added flood detection

Thu Sep 23 18:42:16 CEST 2010

Module: sip-router
Branch: master
Commit: f77093de4f3111cbc7171e61443c7d1c0cee50d0
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f77093de4f3111cbc7171e61443c7d1c0cee50d0

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date:   Thu Sep 23 18:40:48 2010 +0200

kamailio.cfg: added flood detection

- can be enabled via #!define WITH_ANTIFLOOD
- uses pike to detect flood and htable to ban the IP for a while

---

 etc/kamailio.cfg |   41 +++++++++++++++++++++++++++++++++++++++++
 1 files changed, 41 insertions(+), 0 deletions(-)

diff --git a/etc/kamailio.cfg b/etc/kamailio.cfg
index 0e48dd4..c2ef9e9 100644
--- a/etc/kamailio.cfg
+++ b/etc/kamailio.cfg
@@ -59,6 +59,11 @@
 #     - adjust CFGDIR/tls.cfg as needed
 #     - define WITH_TLS
 #
+# *** To enable anti-flood detection execute:
+#     - adjust pike and htable=>ipban settings as needed (default is
+#       block if more than 16 requests in 2 seconds and ban for 300 seconds)
+#     - define WITH_ANTIFLOOD
+#
 # *** To enhance accounting execute:
 #     - enable mysql
 #     - define WITH_ACCDB
@@ -223,6 +228,11 @@ loadmodule "rtpproxy.so"
 loadmodule "tls.so"
 #!endif
 
+#!ifdef WITH_ANTIFLOOD
+loadmodule "htable.so"
+loadmodule "pike.so"
+#!endif
+
 # ----------------- setting module-specific parameters ---------------
 
 
@@ -353,6 +363,16 @@ modparam("usrloc", "nat_bflag", FLB_NATB)
 modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg")
 #!endif
 
+#!ifdef WITH_ANTIFLOOD
+# ----- pike params -----
+modparam("pike", "sampling_time_unit", 2)
+modparam("pike", "reqs_density_per_unit", 16)
+modparam("pike", "remove_latency", 4)
+
+# ----- htable params -----
+# ip ban htable with autoexpire after 5 minutes
+modparam("htable", "htable", "ipban=>size=8;autoexpire=300;")
+#!endif
 
 ####### Routing Logic ########
 
@@ -450,6 +470,27 @@ route[RELAY] {
 
 # Per SIP request initial checks
 route[REQINIT] {
+#!ifdef WITH_ANTIFLOOD
+	# flood dection from same IP and traffic ban for a while
+	# be sure you exclude checking trusted peers, such as pstn gateways
+	# - local host excluded (e.g., loop to self)
+	if(src_ip!=myself)
+	{
+		if($sht(ipban=>$si)!=$null)
+		{
+			# ip is already blocked
+			xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)\n");
+			exit;
+		}
+		if (!pike_check_req())
+		{
+			xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)\n");
+			$sht(ipban=>$si) = 1;
+			exit;
+		}
+	}
+#!endif
+
 	if (!mf_process_maxfwd_header("10")) {
 		sl_send_reply("483","Too Many Hops");
 		exit;


