[OpenSIPS-Users] ratelimit: per group/account limiting
Ovidiu Sas
osas at voipembedded.com
Tue Feb 22 23:10:53 CET 2011
On Tue, Feb 22, 2011 at 3:28 PM, Adrian Georgescu <ag at ag-projects.com> wrote:
> Ovidiu,
>
> With stolen account credentials one can cause major frauds during a single weekend without looking like a DOS attack.
That is correct, but I don't really see how ratelimitation would help
here for regular accounts.
A regular SIP subscriber should have a channel limitation of 2 (no
more then 2 simultaneous calls). In this case, the cps doesn't really
matter.
If a virtual PRI is set up (23 channels for NA or 30 channels for
Europe), again the cps doesn't really count. As soon as the virtual
PRI is maxed out (in terms of channels) all subsequent calls will be
rejected (and the cps will be 0).
Now, if we have a large SIP trunk, ratelimiting will indeed help.
The ratelimit module has a limit of 16 pipes. This number can be
increased, but the module is not optimized to deal with a large number
of pipes or dynamic pipes.
To summarize, IMHO, the real benefit of ratelimitng (cps control) is
for large SIP trunks. For regular SIP subscribers it doesn't really
matter (except for malicious traffic that could be detected with
pike).
Regards,
Ovidiu Sas
> Rate limiting of normal SIP accounts to a few simultaneous calls or whatever is normal usage is the best defensive strategy. Pike is not useful for non-DOS situations like this.
>
> Adrian
More information about the Users
mailing list