[OpenSIPS-Devel] Pike module - extending the flood detection

Bogdan-Andrei Iancu bogdan at voice-system.ro
Mon Sep 14 21:23:12 CEST 2009


Hi,

The SVN trunk contains new extensions on the pike module for extending 
the flood detection : (1) from checking requests only, to checking all 
SIP traffic and (2) from checking the valid SIP packages to checking all 
received data (even if junk).

In the new form, there are 2 ways of using this module (as detecting 
flood attacks and as taking the right action to limit the impact on the 
system):
     * manual - from routing script you can force the check of the 
source IP of an incoming requests, using "pike_check_req" function. Note 
that this checking works only for  SIP requests and you can decide 
(based on scripting logic) what source IPs to be monitored and what 
action to be taken when a flood is detected.
     * automatic - the module will install internal hooks to catch all 
incoming requests and replies (even if not well formed from SIP point of 
view) - more or less the module will monitor all incoming packages (from 
the network) on the SIP sockets. Each time the source IP of a package 
needs to be analyse (to see if trusted or not), the module will run a 
script route - see "check_route" module parameter -, where, based on 
custom logic, you can decide if that IP needs to be monitored for 
flooding or not. As action, when flood is detected, the module will 
automatically drop the packages. Ex:

...
modparam("pike", "check_route", "pike")
...
...
route[pike]{
    if ($si==111.222.111.222)  /*trusted, do not check this IP*/
        drop;
    /* all other IPs are checked*/
}
....


Regards,
Bogdan





More information about the Devel mailing list