[OpenSIPS-Users] pike & exec & iptables
Liviu Chircu
liviu at opensips.org
Thu May 24 02:15:23 EDT 2018
Nice! I noticed your blog post as well :)
Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com
On 24.05.2018 07:56, Alexey K. via Users wrote:
> Done.
>
> 1. ipset create SIPFLOOD hash:ip timeout 120 comment
>
> 2. iptables -A INPUT -m set --match-set SIPFLOOD src -j DROP
>
> 3. add to /etc/sudoers:
> opensips ALL= NOPASSWD: /sbin/ipset
>
> 4. OpenSIPS config (OPTIONS processing for test environment):
>
> #### exec
> loadmodule "exec.so"
>
> #### antiflood module
> loadmodule "pike.so"
> modparam("pike", "sampling_time_unit", 2)
> modparam("pike", "reqs_density_per_unit", 10)
> modparam("pike", "remove_latency", 120)
>
> ...
>
> if(is_method("OPTIONS")) {
>
> pike_check_req();
> switch($retcode) {
> case -2: # detected once - simply drop the request
> exit;
> case -1: # detected again - ban the IP and drop request
> exec("/usr/bin/sudo ipset -exist add SIPFLOOD $si");
> exit;
> }
>
> sl_send_reply("200", "OK");
> exit;
> }
>
> 5. Test with sipp. Generate 70 requests (-r) in 2 seconds (-rp 2000) and exiting sipp after sending 70 requests (-m):
>
> sipp 172.16.0.222 -r 70 -rp 2000 -m 70 -sf OPTIONS.xml
>
>
> OPTIONS.xml contents:
>
>
> <?xml version="1.0" encoding="us-ascii"?>
> <scenario name="Options">
> <send>
> <![CDATA[
> OPTIONS sip:[service]@[remote_ip] SIP/2.0
> Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
> Max-Forwards: 70
> To:<sip:[service]@[remote_ip]>
> From: sipp<sip:sipp@[local_ip]:[local_port]>;tag=[call_number]
> Call-ID: [call_id]
> CSeq: 1 OPTIONS
> Contact:<sip:sipp@[local_ip]:[local_port]>
> Accept: application/sdp
> Content-Length: 0
> ]]>
> </send>
> </scenario>
>
>
> 6. Profit:)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20180524/52409f10/attachment.html>
More information about the Users
mailing list