As an alternative, you may consider the pipelimit module, which has the additional virtue of allowing you to count requests based on arbitrary criteria, not just source address.
— Sent from mobile, with due apologies for brevity and errors. > On Mar 22, 2020, at 11:43 AM, JR Richardson <[email protected]> wrote: > > > Thanks Daniel, > > That clear it up a bit. For my own edification, when I get a few minutes, > I’ll lab this up and throw some specific quantities of SIP packets and > validate the time and density of trigger and report back. Maybe we can update > the module documentation for clarity and remove some confusion. > > JR > > JR Richardson > Engineering for the Masses > Chasing the Azeotrope > JRx DistillCo > 1’st Place Brisket > > From: Daniel-Constantin Mierla <[email protected]> > Sent: Sunday, March 22, 2020 4:37 AM > To: Kamailio (SER) - Users Mailing List <[email protected]>; JR > Richardson <[email protected]>; SIP Router - Kamailio (OpenSER) and > SIP Express Router (SER) - Users Mailing List <[email protected]> > Subject: Re: [SR-Users] Pike Module Clarification > > Hello, > > I am not very familiar with the code as I haven't written the module, but > iirc, if it is an isolated IP, then it takes 3 x sampling_time_unit to block > that IP if there is traffic from it at a rate of more than 30 requests (can > be even 1000+ requests). > > Then, an IP can be blocked after the first sampling_time_unit if it is part > of a subnetwork (/24) that has other IP addresses already blocked. > > As a simple rule, any IP is blocked for sure after 3 x sampling_time_unit > with higher rate than the density and is kept block if it continues to send > high volume of requests. > > Cheers, > Daniel > > On 21.03.20 15:18, JR Richardson wrote: > Hi All, > > Please clarify the pike settings for SIP message count, the module Doc > reports: > > ---- > modparam("pike", "sampling_time_unit", 10) > modparam("pike", "reqs_density_per_unit", 30) > > How many requests should be allowed per sampling_time_unit before blocking > all the incoming request from that IP. Practically, the blocking limit is > between ( let's have x=reqs_density_per_unit) x and 3*x for IPv4 addresses > and between x and 8*x for IPv6 addresses. > ----- > > So the example above the SIP message rate is 30 messages within 10 seconds > triggers an pike alert? > > The description I’m confused on is “Practically, the blocking ‘limit is > between’ (let's have x=reqs_density_per_unit) x and 3*x for IPv4” > > The way this reads to me is the Pike alert could be triggered anywhere > between 30 and 90 (3*30) messages within 10 second period. Am I reading this > correctly? What determines when the pike trigger actually happens, could the > trigger happen at say 56 messages within 10 seconds? > > Thanks. > > JR Richardson > Engineering for the Masses > Chasing the Azeotrope > JRx DistillCo > 1’st Place Brisket > 1’st Place Chili > > > _______________________________________________ > Kamailio (SER) - Users Mailing List > [email protected] > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > -- > Daniel-Constantin Mierla -- www.asipto.com > www.twitter.com/miconda -- www.linkedin.com/in/miconda > _______________________________________________ > Kamailio (SER) - Users Mailing List > [email protected] > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
