<html>
<head>
<meta content="text/html; charset=windows-1251"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><tt>Hi, Denis!</tt></p>
<p><tt>First of all, thank you for taking the time to gather this
nice data! Looking at the calls, to me it looks like the module
behaved as expected. Here are some thoughts:</tt></p>
<p><tt>- all call durations were less under 1500 seconds, while your
fraud rule is set to 3600 seconds, so it never got triggered.<br>
</tt></p>
<p><tt>- the "calls-per-minute" rule worked! Your rule was set to
max 6 cpm, thus calls #7 - #9 to prefix "810" were considered
fraudulent (at 01:41), as the caller was starting to exceed this
quota. The proper critical warnings were raised, calls blocked,
emails sent.<br>
</tt></p>
<p><tt>- the attacker now _learned_ about your 6 cpm limitation and
_lowered_ his cpm to 3 during the following 10 hours (until
11:08), thus bypassing the cpm rate limiting, managing to place
21 fraudulent calls.</tt></p>
<p><tt>It seems like the 21 successful fraudulent calls between
03:06 - 11:08 could _maybe_ have been avoided by setting a
better value for "sequential-calls". This is a bit tricky
though, as we also don't want to block calls of honest users
because of false positives.<br>
</tt></p>
<p><tt>Regards,<br>
</tt></p>
<pre class="moz-signature" cols="72">Liviu Chircu
OpenSIPS Developer
<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a></pre>
<div class="moz-cite-prefix">On 11.11.2016 09:38, Denis wrote:<br>
</div>
<blockquote cite="mid:216131351.20161111103855@ptl.ru" type="cite">
<title>Re: [OpenSIPS-Users] Fraud_detection module</title>
<span style=" font-family:'Times New Roman'; font-size: 12pt;">Hello,
Liviu!<br>
<br>
OK, thank you.<br>
<br>
Additionally i will ask you to analyze one case.<br>
In attachment you can find a log of calls, which were made by
one user some time ago (with the number 1234567). It`s a fraud.<br>
Also i attached a piece of opensips.cfg related to a fraud
detection (see script.txt). When critical event triggered
Opensips sends email to some address (see script.txt).<br>
<br>
As you can see in the call log, fraud began at 01:40 2016-10-01.
Value of the field "sip_reason" "fraud_detected" means that
fraud_module detects the fraud and a call was discarded by
script logging (see script.txt)<br>
First email about that i received at 01:41 with fraud param "
calls per minute".<br>
Next email i received only at 11:08 with fraud param "total
calls".<br>
<br>
Between these two time stamps i have no emails about fraud, and
as you can see from the call log, there were many successful
calls in this period with "big" duration.<br>
<br>
Fraud_detection table had such content:<br>
profileid = 1<br>
prefix = 810<br>
start_hour = 00:00<br>
end_hour = 23:59<br>
daysoftheweek = Mon-Sun<br>
cpm_critical = 6<br>
call_duration_critical = 3600<br>
tatal_calls_critical = 30<br>
concurant_calls_critical = 30<br>
sequential_calls_critical = 5000<br>
<br>
The questions is:<br>
- Why module didn`t detect fraud based on "call duration"?<br>
<br>
Thank you.<br>
<br>
</span><a moz-do-not-send="true" style=" font-family:'arial';
font-size: 10pt;" href="mailto:denis7979@mail.ru">mailto:denis7979@mail.ru</a><br>
<br>
<table bgcolor="#ffffff">
<tbody>
<tr>
<td bgcolor="#0000ff" width="2"><br>
</td>
<td><span style=" font-family:'courier new'; font-size:
12pt;">Upon looking through the source code, it seems
that calls_per_min / total_calls / concurrent_calls are
also reset to 0 every time a new rule is matched, or if
the day has changed since we last matched the current
rule.<br>
I will make sure this info ^ is more easily accessible:
either in a new tutorial section or the module doc.<br>
Regards,<br>
Liviu Chircu<br>
OpenSIPS Developer<br>
</span><a moz-do-not-send="true" style="
font-family:'courier new'; font-size: 12pt;"
href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a><br>
<span style=" font-family:'times new roman'; font-size:
12pt;">On 10.11.2016 16:29, Denis wrote:<br>
</span>
<table>
<tbody>
<tr>
<td bgcolor="#3200ff" width="2"><br>
</td>
<td><span style=" font-family:'times new roman';
font-size: 12pt;">Re: [OpenSIPS-Users]
Fraud_detection module <br>
</span>
<table>
<tbody>
<tr>
<td bgcolor="#0000ff" width="2"><br>
</td>
<td><span style=" font-family:'times new
roman'; font-size: 12pt;">Hello, Liviu!<br>
<br>
Thank you for your answer.<br>
<br>
About 2)<br>
<br>
"Calls per minute" - ok, but what about
other parameters?<br>
For example, "total calls"?<br>
Suppose we have 09:00 - 17:00, Mon-Fri,
and "total calls" = 30.<br>
If in Mon user makes 25 calls, on Tue
since 09:00 counts of "total calls"
begin from 0 or 25?<br>
<br>
</span><a moz-do-not-send="true" style="
font-family:'arial'; font-size: 10pt;"
href="mailto:d.putyato@ptl.ru">mailto:denis7979@mail.ru</a><br>
<br>
<table bgcolor="#ffffff">
<tbody>
<tr>
<td bgcolor="#0000ff" width="2"><br>
</td>
<td><span style="
font-family:'courier new';
font-size: 12pt;">Hi, Deniz!<br>
Answers below.<br>
Regards,<br>
Liviu Chircu<br>
OpenSIPS Developer<br>
</span><a moz-do-not-send="true"
style=" font-family:'courier
new'; font-size: 12pt;"
href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a><br>
<span style=" font-family:'times
new roman'; font-size: 12pt;">On
10.11.2016 15:18, Denis wrote:<br>
</span>
<table>
<tbody>
<tr>
<td bgcolor="#3200ff"
width="2"><br>
</td>
<td><span style="
font-family:'times new
roman'; font-size:
12pt;">Re:
Fraud_detection modul <br>
</span>
<table>
<tbody>
<tr>
<td
bgcolor="#0000ff"
width="2"><br>
</td>
<td><span style="
font-family:'times
new roman';
font-size:
12pt;">Hello!<br>
<br>
Opensips 2.2.1<br>
<br>
A couple of
questions about
fraud_detection:<br>
<br>
1) In
documentation
says "<span
style="
font-size:
10pt; color:
#666666;"><b>consecutive
calls</b> to
the same
destination <span
style="
font-size:
12pt; color:
#000000;">".
Same
destination =
same number,
or prefix?</span></span></span></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<span style=" font-family:'courier
new'; font-size: 12pt;">Same
prefix, taken from the fraud
detection rule <br>
</span>
<table>
<tbody>
<tr>
<td bgcolor="#6400ff"
width="2"><br>
</td>
<td>
<table>
<tbody>
<tr>
<td><span style="
font-family:'times
new roman';
font-size:
12pt;">2) At the
beginning of the
next period, a
counts of events
begin 0?</span></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<span style=" font-family:'courier
new'; font-size: 12pt;">The
module uses a gliding window of
60 seconds, in order to keep
track of "calls per minute".
When changing time intervals,
hence putting new thresholds in
place, the "calls per minute"
will not reset. In other words,
when switching intervals, the
new "calls per minute"
thresholds will initially work
with calls placed during the
last minute when the old
thresholds were in place. <br>
</span>
<table>
<tbody>
<tr>
<td bgcolor="#9600ff"
width="2"><br>
</td>
<td>
<table>
<tbody>
<tr>
<td><span style="
font-family:'times
new roman';
font-size:
12pt;">3) is
there any method
to reset counts
of events for
certain user?</span></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<span style=" font-family:'times
new roman'; font-size: 12pt;">Currently
there is no way of doing this.<br>
<br>
</span>
<table>
<tbody>
<tr>
<td bgcolor="#c800ff"
width="2"><br>
</td>
<td>
<table>
<tbody>
<tr>
<td><span style="
font-family:'times
new roman';
font-size:
12pt;">4) what
is the value
used to
calculate
duration in
fraud_module,
minutes or
seconds?</span></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<span style=" font-family:'times
new roman'; font-size: 12pt;">It
should be "seconds", I will fix
the misleading example in the
tutorial. <br>
</span>
<table>
<tbody>
<tr>
<td bgcolor="#fa00ff"
width="2"><br>
</td>
<td><span style="
font-family:'times new
roman'; font-size:
12pt;">______________________________________________
<br>
<span style="
font-family:'courier
new';">Users mailing
list<br>
</span></span><a
moz-do-not-send="true"
style="
font-family:'courier
new'; font-size: 12pt;"
href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a moz-do-not-send="true"
style="
font-family:'courier
new'; font-size: 12pt;"
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
</body>
</html>