[SR-Users] Pike Module Clarification
JR Richardson
jmr.richardson at gmail.com
Sun Mar 22 16:40:29 CET 2020
Thanks Daniel,
That clear it up a bit. For my own edification, when I get a few minutes,
I'll lab this up and throw some specific quantities of SIP packets and
validate the time and density of trigger and report back. Maybe we can
update the module documentation for clarity and remove some confusion.
JR
JR Richardson
Engineering for the Masses
Chasing the Azeotrope
JRx DistillCo
1'st Place Brisket
From: Daniel-Constantin Mierla <miconda at gmail.com>
Sent: Sunday, March 22, 2020 4:37 AM
To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>; JR
Richardson <jmr.richardson at gmail.com>; SIP Router - Kamailio (OpenSER) and
SIP Express Router (SER) - Users Mailing List
<sr-users at lists.sip-router.org>
Subject: Re: [SR-Users] Pike Module Clarification
Hello,
I am not very familiar with the code as I haven't written the module, but
iirc, if it is an isolated IP, then it takes 3 x sampling_time_unit to block
that IP if there is traffic from it at a rate of more than 30 requests (can
be even 1000+ requests).
Then, an IP can be blocked after the first sampling_time_unit if it is part
of a subnetwork (/24) that has other IP addresses already blocked.
As a simple rule, any IP is blocked for sure after 3 x sampling_time_unit
with higher rate than the density and is kept block if it continues to send
high volume of requests.
Cheers,
Daniel
On 21.03.20 15:18, JR Richardson wrote:
Hi All,
Please clarify the pike settings for SIP message count, the module Doc
reports:
----
modparam("pike", "sampling_time_unit", 10)
modparam("pike", "reqs_density_per_unit", 30)
How many requests should be allowed per sampling_time_unit before blocking
all the incoming request from that IP. Practically, the blocking limit is
between ( let's have x=reqs_density_per_unit) x and 3*x for IPv4 addresses
and between x and 8*x for IPv6 addresses.
-----
So the example above the SIP message rate is 30 messages within 10 seconds
triggers an pike alert?
The description I'm confused on is "Practically, the blocking 'limit is
between' (let's have x=reqs_density_per_unit) x and 3*x for IPv4"
The way this reads to me is the Pike alert could be triggered anywhere
between 30 and 90 (3*30) messages within 10 second period. Am I reading this
correctly? What determines when the pike trigger actually happens, could the
trigger happen at say 56 messages within 10 seconds?
Thanks.
JR Richardson
Engineering for the Masses
Chasing the Azeotrope
JRx DistillCo
1'st Place Brisket
1'st Place Chili
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
www.twitter.com/miconda <http://www.twitter.com/miconda> --
www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200322/f26b5082/attachment-0001.html>
More information about the sr-users
mailing list