[SR-Users] Mitigating DDOS attacks from carrier based on ani or dnis by limitating cps or blocking when detecting

anfecora anfecora at gmail.com
Thu Sep 8 07:00:24 CEST 2016


THanks Alex,
do you think i can do something like where i check $FU reaching the rate
limit then blocket somehow for a few minutes.

thank you, I apreciate your help.

# perform pipe match for INVITE

        if (is_method("INVITE")) {
                $var(invlimit) = 10;
                if (!pl_check("$fU", "TAILDROP", "$var(invlimit)")) {
                        pl_drop();
                        exit;
                }
        }

On Wed, Sep 7, 2016 at 9:23 PM, Alex Balashov <abalashov at evaristesys.com>
wrote:

> May I humbly suggest the very flexible pipelimit module?
>
>
> On 09/08/2016 12:12 AM, anfecora wrote:
>
> Hi is there any way to use pike and htable to mitigate ddos or  flood
>> attack from trusted trunks.
>>
>> I need help to build it the same way kamailio control registrations.
>>
>> Case a carrier trunk star calling several users from the system to more
>> than 50 CPS(calls per second), it will affect the system but cannot
>> block the trunk since it is pstn traffic coming from a sip provider,
>> therefore we need to find a way to identify this traffic based on ANI or
>> DNIS or any other header and then blocked for a time just like pike does
>> with registrations, then start the cycle all over.
>>
>> in less words make kamailio be aware of  invite request rate, then
>> verify that is from the same source means ani or dnis then tagged as bad
>> traffic them star dropping it for a specified time, while normal traffic
>> still flowing unaffected.
>>
>> any recommendations will be highly appreciated.
>>
>> thank you
>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
> --
> Alex Balashov | Principal | Evariste Systems LLC
>
> Tel: +1-706-510-6800 (direct) / +1-800-250-5920 (toll-free)
> Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20160907/325a739d/attachment.html>


More information about the sr-users mailing list