[SR-Users] Pike Module Clarification
Daniel-Constantin Mierla
miconda at gmail.com
Sun Mar 22 18:38:08 CET 2020
Hello,
improvements to the documentation are always more than welcome! Pike is
a rather old module, not much touched lately, so its docs could be from
long time ago. At some point I wanted to put some new code to allow
defining more IP blocking trees and a few other enhancements, but other
projects got into the way...
Cheers,
Daniel
On 22.03.20 16:40, JR Richardson wrote:
>
> Thanks Daniel,
>
>
>
> That clear it up a bit. For my own edification, when I get a few
> minutes, I’ll lab this up and throw some specific quantities of SIP
> packets and validate the time and density of trigger and report back.
> Maybe we can update the module documentation for clarity and remove
> some confusion.
>
>
>
> JR
>
>
>
> JR Richardson
>
> Engineering for the Masses
>
> Chasing the Azeotrope
>
> JRx DistillCo
>
> 1’st Place Brisket
>
>
>
> *From:* Daniel-Constantin Mierla <miconda at gmail.com>
> *Sent:* Sunday, March 22, 2020 4:37 AM
> *To:* Kamailio (SER) - Users Mailing List
> <sr-users at lists.kamailio.org>; JR Richardson
> <jmr.richardson at gmail.com>; SIP Router - Kamailio (OpenSER) and SIP
> Express Router (SER) - Users Mailing List <sr-users at lists.sip-router.org>
> *Subject:* Re: [SR-Users] Pike Module Clarification
>
>
>
> Hello,
>
> I am not very familiar with the code as I haven't written the module,
> but iirc, if it is an isolated IP, then it takes 3 x
> sampling_time_unit to block that IP if there is traffic from it at a
> rate of more than 30 requests (can be even 1000+ requests).
>
> Then, an IP can be blocked after the first sampling_time_unit if it is
> part of a subnetwork (/24) that has other IP addresses already blocked.
>
> As a simple rule, any IP is blocked for sure after 3 x
> sampling_time_unit with higher rate than the density and is kept block
> if it continues to send high volume of requests.
>
> Cheers,
> Daniel
>
> On 21.03.20 15:18, JR Richardson wrote:
>
> Hi All,
>
>
>
> Please clarify the pike settings for SIP message count, the module
> Doc reports:
>
>
>
> ----
>
> modparam("pike", "sampling_time_unit", 10)
>
> modparam("pike", "reqs_density_per_unit", 30)
>
>
>
> How many requests should be allowed per |sampling_time_unit|
> before blocking all the incoming request from that IP.
> Practically, the blocking limit is between ( let's have
> x=reqs_density_per_unit) x and 3*x for IPv4 addresses and between
> x and 8*x for IPv6 addresses.
>
> -----
>
>
>
> So the example above the SIP message rate is 30 messages within 10
> seconds triggers an pike alert?
>
>
>
> The description I’m confused on is “Practically, the blocking
> ‘*limit is between’*(let's have x=reqs_density_per_unit) x and 3*x
> for IPv4”
>
>
>
> The way this reads to me is the Pike alert could be triggered
> anywhere between 30 and 90 (3*30) messages within 10 second
> period. Am I reading this correctly? What determines when the pike
> trigger actually happens, could the trigger happen at say 56
> messages within 10 seconds?
>
>
>
> Thanks.
>
>
>
> JR Richardson
>
> Engineering for the Masses
>
> Chasing the Azeotrope
>
> JRx DistillCo
>
> 1’st Place Brisket
>
> 1’st Place Chili
>
>
>
> _______________________________________________
>
> Kamailio (SER) - Users Mailing List
>
> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> --
> Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200322/d2ea99fd/attachment-0001.html>
More information about the sr-users
mailing list