Hmmm... indeed, the "sequential calls" only reset if you dial a different number.
If the other stats reset at midnight/interval change, I don't see why this specific one should be different. To me, it looks like a bug. Do you agree?Liviu Chircu OpenSIPS Developer http://www.opensips-solutions.comOn 03.04.2018 16:49, Denis via Users wrote:Hello Liviu!I am sorry, i totally missed one important thing - serial forking)))I.e. i had 52 records in accounting, but several of them leads to one call.As a result i had exactly 29 calls before fraud module became block subsequent calls.About counters reset i understood. Thank you.The last question about "sequential_calls". This counter does not reset? Even in manual mode?Thank you.--С уважением, Денис.Best regards, Denis03.04.2018, 15:30, "Liviu Chircu" <li...@opensips.org>:,
Regarding the "52 calls" vs. 25/30 limits, are you sure all 52 calls were made by the same user? Keep in mind that all fraud_detection module stats are per-user counters, and not global counters. If they really were all made by the same user, please let me know and I will double-check my tests.
The "cpm", "total_calls" and "concurrent_calls" reset either on an interval change or at midnight (new day ahead). This leads to a possible undetected abuse of up to 2x your provisioned "cpm", "total_calls" or "concurrent_calls", if the malicious user places "limit - 1" events before the reset, followed by another "limit - 1" events past the reset. If this is too much for you, then your provisioned limits (thresholds) are incorrect, and you should simply cut them in half.
Best regards,Liviu Chircu OpenSIPS Developer http://www.opensips-solutions.comOn 22.03.2018 09:59, Denis via Users wrote:Hello!Is there any idea about the problem?Thank you.--С уважением, Денис.Best regards, Denis16.03.2018, 15:22, "Denis via Users" <firstname.lastname@example.org>:Hello!I am sorry that it was early, but anyway.Server:: OpenSIPS (2.2.5 (x86_64/linux))Fraud_module has been activated.Profile data17.02.18 20:55 Opensips received first fraud call.And before Opensips detected fraud there were 52 yet calls to 810 prefix.First question is why it didn`t detected fraud early (dialing with total_calls, for example)?Then.Till the end of 17.02 Opensips blocked the calls from client to 810, but in 18.02 i can see success fraud calls to 810 from the client again.Second question is why? Opensips resets count every new day?Thank you.--С уважением, Денис.Best regards, Denis,
Users mailing list
http://lists.opensips.org/cgi-bin/mailman/listinfo/users_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Users mailing list
Users mailing list
Liviu, and another interesting case.
Here, https://yadi.sk/i/-vRrJXtz3U5m2Z, you can find cdr of the fraud case.
In the table:
time - time of the call
callid - sip callid
src_domain - source ip
src_user - caller (from one number)
dst_user - callee
sip_reason and duration - column from acc table.
Several sip callid with the same value deal with serial forking.
So, sip_reason "fraud_detected" means that fraud module detected bad calls.
Why do we have a situation when after fraud detected there are successful bad calls?
Fraud profile is the same as mentioned early.
С уважением, Денис.
Best regards, Denis
03.04.2018, 18:28, "Liviu Chircu" <li...@opensips.org>:
- [OpenSIPS-Users] Opensips 2.5 and fraud ... Denis via Users
- Re: [OpenSIPS-Users] Opensips 2.5 a... Denis via Users
- Re: [OpenSIPS-Users] Opensips 2... Liviu Chircu
- Re: [OpenSIPS-Users] Opensi... Denis via Users
- Re: [OpenSIPS-Users] Op... Liviu Chircu
- Re: [OpenSIPS-User... Денис Путято via Users
- Re: [OpenSIPS-User... Denis via Users