We have recently added a new feature that allows sipXecs the detect DoS attacks and prevent it from crashing the system. The algorithm is a simple packet rate counter that measures the number of packets received per second. A certain threshold can be set via the web UI on what the threshold limit is. The current default is 100 packets per second. This can be adjusted based on the actual traffic intensity or lack thereof in a particular deployment. A threshold violation triggers an Alarm to be raised so that administrators get a notification when the threshold is reach and if they need to increase it.
On top of the rate counter, the transport layer also maintains a dynamic map of the IP addresses that sent packets to sipXecs. If a threshold violation is reached, this map will be consulted and see if a certain IP is responsible for a certain percentage of the total packets received. The current default for this is 50 packets. Thus, we can say that the rate limit ratio is 50/100. If the transport pinpoints a particular IP sends more than or equal to 50, the particular IP will be banned from ever sending any packets to sipXecs until such time it is granted a parole by the system. The lifetime by which a particular IP is banned from the system is also configurable. The current default is 3600 seconds or 1 hour. After an IP address is banned, it will be released from the transport jail and would be allowed again to send traffic to sipXecs until such time it again violates the rate ratio. There are instances when predictive dialers for call centers are deployed within the network and might be misinterpreted by the ratelimit procedure as a DoS attacker. To allow friendly rate violators from ever getting jailed, a white list is also provided by the config to tell sipXecs who the friendlies are and would be granted immunity. If that is not enough, a black list is also provided so that you can simply copy and paste IP addresses of known attackers to permanently ban them from ever sending packets to sipXecs. Enjoy! Note: Release engineering should be able pinpoint the exact version where this feature would be included should any one care to ask. Joegen _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev/
