<div>Hmmm.... it is interesting hypothesis. About time.</div><div>I tried to check it directly.</div><div> </div><div>Now we have 04/04/2018</div><div> </div><div>I made a test call and time answer was "Ср апр 4 14:45:37 MSK 2018" from unix shell command 'date', where</div><div> </div><div>апр - april</div><div>Ср - Wednesday</div><div>4 - 4 april</div><div>14:45:37 - time</div><div>MSK 2018 - timezone and a year.</div><div> </div><div>So in acc i see this call</div><div><div> </div><div> id: 118143392</div><div> method: INVITE</div><div> from_tag: Q5UF9FmQrryQS</div><div> to_tag: ds-23044c48-569045bb2e17b</div><div> callid: a8754f5a-37fd-11e8-841c-e99d78f36020</div><div> sip_code: 200</div><div> sip_reason: Ok</div><div> time: 2018-04-04 14:45:33</div><div> src_in: 111111</div><div> src_user: 111111</div><div> src_domain: 1.1.1.1</div><div> src_out: 111111</div><div> dst_in: 22222</div><div> dst_user: 22222</div><div> dst_out: 22222</div><div> dst_domain: 2.2.2.2</div><div> duration: 3</div><div>ms_duration: 2517</div><div> setuptime: 11</div><div> created: 2018-04-04 14:45:22</div></div><div> </div><div>I.e. time from acc and time from unix shell command are the same.</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>04.04.2018, 14:16, "Liviu Chircu" <liviu@opensips.org>:</div><blockquote type="cite"><div bgcolor="#FFFFFF"><p>Hi Denis,</p><p>Some interesting data! Here's some analysis:</p><p>1) First we have this detection suite:</p><table style="background-color:#ffffff;border-collapse:collapse;border-spacing:0px;color:#000000;font-family:yandex-sans;font-size:15px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:left;text-transform:none;white-space:normal;"><tbody><tr style="height:12.75pt;"><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">4/2/18 0:12</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;"><span>270675427</span>b234658</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">X.X.X.X</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;"><span>1111111111</span></td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;"><span>8102463894929</span></td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">Fraud_detectead</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">0</td></tr></tbody></table><p>This is due to the "cpm" throttling (> 5 cpm within the last 2 minutes) hitting. Once he makes a pause until 0:15, he is able to place more calls.</p><p>2) Next, another detection:</p><table style="background-color:#ffffff;border-collapse:collapse;border-spacing:0px;color:#000000;font-family:yandex-sans;font-size:15px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:left;text-transform:none;white-space:normal;"><tbody><tr style="height:12.75pt;"><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">4/2/18 0:22</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">2d37337b576cdf52</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">X.X.X.X</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;"><span>1111111111</span></td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;"><span>810213550011711</span></td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">Fraud_detectead</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">0</td></tr></tbody></table><p>This time it's due to the "total calls" hitting, since he had placed 29 calls, and the 30th one hits the "critical" threshold.</p><p>3) He seems to be able to place another call 3 hours later:</p><table style="background-color:#ffffff;border-collapse:collapse;border-spacing:0px;color:#000000;font-family:yandex-sans;font-size:15px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:left;text-transform:none;white-space:normal;"><tbody><tr style="height:12.75pt;"><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">4/2/18 3:20</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">20580b68fb2d185b</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">X.X.X.X</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;"><span>1111111111</span></td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;"><span>810355692075970</span></td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">OK</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">780</td></tr></tbody></table><p>and another 28 calls within the next 5 hours, before finally getting blocked again:</p><table style="background-color:#ffffff;border-collapse:collapse;border-spacing:0px;color:#000000;font-family:yandex-sans;font-size:15px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:left;text-transform:none;white-space:normal;"><tbody><tr style="height:12.75pt;"><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">4/2/18 8:32</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">5f3aa44b6451bd4c</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">X.X.X.X</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;"><span>1111111111</span></td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;"><span>810355692075972</span></td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">Fraud_detectead</td><td style="border:thin solid silver;white-space:pre-wrap;text-align:left;background-color:white;color:black;font-size:8pt;">0</td></tr></tbody></table><p>So the "total calls" limit is hitting again, which is good.</p><p>The question is: why did the "total calls" reset for this guy? One possible answer could be timezone-related. I'm not sure whether the "0:22" from the CDR correlates with the local OpenSIPS machine time. Remember that OpenSIPS resets all stats if it detects a "new day" or a "new interval". IMO, the day change is the most likely cause of this behavior.</p><p>Let me know if the above clears your questions. Also, one of your SIP statuses has a typo: "<span style="background-color:#ffffff;color:#000000;display:inline !important;float:none;font-family:yandex-sans;font-size:10.6667px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:left;text-transform:none;white-space:pre-wrap;">Fraud_detectead".</span></p><p>Cheers,</p><pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a></pre><div>On 04.04.2018 14:00, Denis via Users wrote:</div><blockquote type="cite" cite="mid:446851522839606@web54g.yandex.ru"><div>Liviu, and another interesting case.</div><div>Here, <span style="background-color:#ffffff;color:#000000;display:inline !important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;"><a href="https://yadi.sk/i/-vRrJXtz3U5m2Z">https://yadi.sk/i/-vRrJXtz3U5m2Z</a>, you can find cdr of the fraud case.</span></div><div><span style="background-color:#ffffff;color:#000000;display:inline !important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">In the table:</span></div><div><span style="background-color:#ffffff;color:#000000;display:inline !important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">time - time of the call</span></div><div><span style="background-color:#ffffff;color:#000000;display:inline !important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">callid - sip callid</span></div><div><span style="background-color:#ffffff;color:#000000;display:inline !important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">src_domain - source ip</span></div><div><span style="background-color:#ffffff;color:#000000;display:inline !important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">src_user - caller (from one number)</span></div><div><span style="background-color:#ffffff;color:#000000;display:inline !important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">dst_user - callee</span></div><div><span style="background-color:#ffffff;color:#000000;display:inline !important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">sip_reason and duration - column from acc table.</span></div><div> </div><div><span style="background-color:#ffffff;color:#000000;display:inline !important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">Several sip callid with the same value deal with serial forking.</span></div><div> </div><div><font face="yandex-sans, arial, sans-serif"><span style="font-size:15.0016px;white-space:normal;">So, sip_reason "fraud_detected" means that fraud module detected bad calls.</span></font></div><div>Why do we have a situation when after fraud detected there are successful bad calls?</div><div> </div><div>Fraud profile is the same as mentioned early.</div><div> </div><div>Thank you.</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>03.04.2018, 18:28, "Liviu Chircu" <a href="mailto:liviu@opensips.org"><liviu@opensips.org></a>:</div><blockquote type="cite"><div bgcolor="#FFFFFF"><p>Hmmm... indeed, the "sequential calls" only reset if you dial a different number.</p><p>If the other stats reset at midnight/interval change, I don't see why this specific one should be different. To me, it looks like a bug. Do you agree?</p><pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a></pre><div>On 03.04.2018 16:49, Denis via Users wrote:</div><blockquote type="cite" cite="mid:1940771522763382@web15g.yandex.ru"><div>Hello Liviu!</div><div> </div><div>I am sorry, i totally missed one important thing - serial forking)))</div><div>I.e. i had 52 records in accounting, but several of them leads to one call.</div><div>As a result i had exactly 29 calls before fraud module became block subsequent calls.</div><div> </div><div>About counters reset i understood. Thank you.</div><div> </div><div>The last question about "sequential_calls". This counter does not reset? Even in manual mode?</div><div> </div><div>Thank you.</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>03.04.2018, 15:30, "Liviu Chircu" <a href="mailto:liviu@opensips.org"><liviu@opensips.org></a>:</div><blockquote type="cite"><div bgcolor="#FFFFFF"><p>Hi Denis,</p><p>Regarding the "52 calls" vs. 25/30 limits, are you sure all 52 calls were made by the same user? Keep in mind that all fraud_detection module stats are per-user counters, and not global counters. If they really were all made by the same user, please let me know and I will double-check my tests.</p><p>The "cpm", "total_calls" and "concurrent_calls" reset either on an interval change or at midnight (new day ahead). This leads to a possible undetected abuse of up to 2x your provisioned "cpm", "total_calls" or "concurrent_calls", if the malicious user places "limit - 1" events before the reset, followed by another "limit - 1" events past the reset. If this is too much for you, then your provisioned limits (thresholds) are incorrect, and you should simply cut them in half.</p><p>Best regards,</p><pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/">http://www.opensips-solutions.com</a></pre><div>On 22.03.2018 09:59, Denis via Users wrote:</div><blockquote type="cite" cite="mid:181311521705588@web5g.yandex.ru"><div>Hello!</div><div> </div><div>Is there any idea about the problem?</div><div> </div><div>Thank you.</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div><div> </div><div> </div><div>16.03.2018, 15:22, "Denis via Users" <a href="mailto:users@lists.opensips.org"><users@lists.opensips.org></a>:</div><blockquote type="cite"><div>Hello!</div><div> </div><div>I am sorry that it was early, but anyway.</div><div> </div><div>Server:: OpenSIPS (2.2.5 (x86_64/linux))</div><div> </div><div>Fraud_module has been activated.</div><div> </div><div>Profile data</div><div> </div><div><img src="cid:part6.2C075D81.A09D7ABE@opensips.org" /></div><div> </div><div>17.02.18 20:55 Opensips received first fraud call.</div><div>And before Opensips detected fraud there were 52 yet calls to 810 prefix.</div><div> </div><div>First question is why it didn`t detected fraud early (dialing with total_calls, for example)?</div><div> </div><div>Then.</div><div> </div><div>Till the end of 17.02 Opensips blocked the calls from client to 810, but in 18.02 i can see success fraud calls to 810 from the client again.</div><div> </div><div>Second question is why? Opensips resets count every new day?</div><div> </div><div>Thank you.</div><div> </div><div>-- </div><div>С уважением, Денис.</div><div>Best regards, Denis</div><div> </div><div> </div><div> </div>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote> <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre></blockquote></div>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote> <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre></blockquote></div>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote> <pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre></blockquote></div>,<p>_______________________________________________<br />Users mailing list<br /><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br /><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p></blockquote>