Done.
1. ipset create SIPFLOOD hash:ip timeout 120 comment
2. iptables -A INPUT -m set --match-set SIPFLOOD src -j DROP
3. add to /etc/sudoers:
opensips ALL= NOPASSWD: /sbin/ipset
4. OpenSIPS config (OPTIONS processing for test environment):
#### exec
loadmodule "exec.so"
#### antiflood module
loadmodule "pike.so"
modparam("pike", "sampling_time_unit", 2)
modparam("pike", "reqs_density_per_unit", 10)
modparam("pike", "remove_latency", 120)
...
if(is_method("OPTIONS")) {
pike_check_req();
switch($retcode) {
case -2: # detected once - simply drop the request
exit;
case -1: # detected again - ban the IP and drop request
exec("/usr/bin/sudo ipset -exist add SIPFLOOD $si");
exit;
}
sl_send_reply("200", "OK");
exit;
}
5. Test with sipp. Generate 70 requests (-r) in 2 seconds (-rp 2000) and
exiting sipp after sending 70 requests (-m):
sipp 172.16.0.222 -r 70 -rp 2000 -m 70 -sf OPTIONS.xml
OPTIONS.xml contents:
<?xml version="1.0" encoding="us-ascii"?>
<scenario name="Options">
<send>
<![CDATA[
OPTIONS sip:[service]@[remote_ip] SIP/2.0
Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
Max-Forwards: 70
To: <sip:[service]@[remote_ip]>
From: sipp <sip:sipp@[local_ip]:[local_port]>;tag=[call_number]
Call-ID: [call_id]
CSeq: 1 OPTIONS
Contact: <sip:sipp@[local_ip]:[local_port]>
Accept: application/sdp
Content-Length: 0
]]>
</send>
</scenario>
6. Profit :)
-----------------------------------------------
BR, Alexey
http://alexeyka.zantsev.com/
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
