<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><tt>Hi Denis,</tt></p>
<p><tt>Some interesting data! Here's some analysis:<br>
</tt></p>
<p><tt>1) First we have this detection suite:</tt></p>
<table class="t1" style="table-layout: fixed; border-collapse:
collapse; border-spacing: 0px; color: rgb(0, 0, 0); font-family:
yandex-sans; font-size: 15px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2; text-align:
left; text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial;">
<tbody>
<tr class="r1" style="height: 12.75pt;">
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">4/2/18 0:12</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">270675427b234658</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;"><tt>X.X.X.X</tt></td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">1111111111</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">8102463894929</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">Fraud_detectead</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">0</td>
</tr>
</tbody>
</table>
<p><tt>This is due to the "cpm" throttling (> 5 cpm within the
last 2 minutes) hitting. Once he makes a pause until 0:15, he is
able to place more calls.</tt></p>
<p><tt>2) Next, another detection:<br>
</tt></p>
<table class="t1" style="table-layout: fixed; border-collapse:
collapse; border-spacing: 0px; color: rgb(0, 0, 0); font-family:
yandex-sans; font-size: 15px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2; text-align:
left; text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial;">
<tbody>
<tr class="r1" style="height: 12.75pt;">
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">4/2/18 0:22</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">2d37337b576cdf52</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;"><tt>X.X.X.X</tt></td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">1111111111</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">810213550011711</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">Fraud_detectead</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">0</td>
</tr>
</tbody>
</table>
<p><tt>This time it's due to the "total calls" hitting, since he had
placed 29 calls, and the 30th one hits the "critical" threshold.<br>
</tt></p>
<p><tt>3) He seems to be able to place another call 3 hours later:</tt></p>
<table class="t1" style="table-layout: fixed; border-collapse:
collapse; border-spacing: 0px; color: rgb(0, 0, 0); font-family:
yandex-sans; font-size: 15px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2; text-align:
left; text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial;">
<tbody>
<tr class="r1" style="height: 12.75pt;">
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">4/2/18 3:20</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">20580b68fb2d185b</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;"><tt>X.X.X.X</tt></td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">1111111111</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">810355692075970</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">OK</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">780</td>
</tr>
</tbody>
</table>
<p><tt>and another 28 calls within the next 5 hours, before finally
getting blocked again:</tt></p>
<table class="t1" style="table-layout: fixed; border-collapse:
collapse; border-spacing: 0px; color: rgb(0, 0, 0); font-family:
yandex-sans; font-size: 15px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2; text-align:
left; text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial;">
<tbody>
<tr class="r1" style="height: 12.75pt;">
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">4/2/18 8:32</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">5f3aa44b6451bd4c</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;"><tt>X.X.X.X</tt></td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">1111111111</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">810355692075972</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">Fraud_detectead</td>
<td class="c2" style="border: thin solid silver; white-space: pre-wrap; text-align: left; background-color: white; color: black; font-size: 8pt;">0</td>
</tr>
</tbody>
</table>
<p><tt>So the "total calls" limit is hitting again, which is good.</tt></p>
<p><tt>The question is: why did the "total calls" reset for this guy?
One possible answer could be timezone-related. I'm not sure
whether the "0:22" from the CDR correlates with the local OpenSIPS
machine time. Remember that OpenSIPS resets all stats if it
detects a "new day" or a "new interval". IMO, the day change is
the most likely cause of this behavior.<br>
</tt></p>
<p><tt>Let me know if the above clears your questions. Also, one of
your SIP statuses has a typo: "</tt><tt><span style="color: rgb(0, 0, 0); font-family: yandex-sans; font-size: 10.6667px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre-wrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">Fraud_detectead"<tt>.</tt></span></tt></p>
<p><tt>Cheers,<br>
</tt></p>
<pre class="moz-signature" cols="72">Liviu Chircu
OpenSIPS Developer
<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a></pre>
<div class="moz-cite-prefix">On 04.04.2018 14:00, Denis via Users
wrote:<br>
</div>
<blockquote type="cite" cite="mid:446851522839606@web54g.yandex.ru">
<div>Liviu, and another interesting case.</div>
<div>Here, <span
style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;"><a
href="https://yadi.sk/i/-vRrJXtz3U5m2Z"
moz-do-not-send="true">https://yadi.sk/i/-vRrJXtz3U5m2Z</a>, you
can find cdr of the fraud case.</span></div>
<div><span
style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">In
the table:</span></div>
<div><span
style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">time
- time of the call</span></div>
<div><span
style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">callid
- sip callid</span></div>
<div><span
style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">src_domain
- source ip</span></div>
<div><span
style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">src_user
- caller (from one number)</span></div>
<div><span
style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">dst_user
- callee</span></div>
<div><span
style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">sip_reason
and duration - column from acc table.</span></div>
<div> </div>
<div><span
style="background-color:#ffffff;color:#000000;display:inline
!important;float:none;font-family:yandex-sans,arial,sans-serif;font-size:15.0016px;font-style:normal;font-variant-caps:normal;font-variant-ligatures:normal;font-weight:400;text-align:start;text-transform:none;white-space:normal;">Several
sip callid with the same value deal with serial forking.</span></div>
<div> </div>
<div><font face="yandex-sans, arial, sans-serif"><span
style="font-size:15.0016px;white-space:normal;">So,
sip_reason "fraud_detected" means that fraud module detected
bad calls.</span></font></div>
<div>Why do we have a situation when after fraud detected there
are successful bad calls?</div>
<div> </div>
<div>Fraud profile is the same as mentioned early.</div>
<div> </div>
<div>Thank you.</div>
<div> </div>
<div>-- </div>
<div>С уважением, Денис.</div>
<div>Best regards, Denis</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>03.04.2018, 18:28, "Liviu Chircu" <a class="moz-txt-link-rfc2396E" href="mailto:liviu@opensips.org"><liviu@opensips.org></a>:</div>
<blockquote type="cite">
<div bgcolor="#FFFFFF">
<p>Hmmm... indeed, the "sequential calls" only reset if you
dial a different number.</p>
<p>If the other stats reset at midnight/interval change, I
don't see why this specific one should be different. To me,
it looks like a bug. Do you agree?</p>
<pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/" moz-do-not-send="true">http://www.opensips-solutions.com</a></pre>
<div>On 03.04.2018 16:49, Denis via Users wrote:</div>
<blockquote type="cite"
cite="mid:1940771522763382@web15g.yandex.ru">
<div>Hello Liviu!</div>
<div> </div>
<div>I am sorry, i totally missed one important thing -
serial forking)))</div>
<div>I.e. i had 52 records in accounting, but several of
them leads to one call.</div>
<div>As a result i had exactly 29 calls before fraud module
became block subsequent calls.</div>
<div> </div>
<div>About counters reset i understood. Thank you.</div>
<div> </div>
<div>The last question about "sequential_calls". This
counter does not reset? Even in manual mode?</div>
<div> </div>
<div>Thank you.</div>
<div> </div>
<div>-- </div>
<div>С уважением, Денис.</div>
<div>Best regards, Denis</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>03.04.2018, 15:30, "Liviu Chircu" <a
href="mailto:liviu@opensips.org" moz-do-not-send="true"><liviu@opensips.org></a>:</div>
<blockquote type="cite">
<div bgcolor="#FFFFFF">
<p>Hi Denis,</p>
<p>Regarding the "52 calls" vs. 25/30 limits, are you
sure all 52 calls were made by the same user? Keep in
mind that all fraud_detection module stats are
per-user counters, and not global counters. If they
really were all made by the same user, please let me
know and I will double-check my tests.</p>
<p>The "cpm", "total_calls" and "concurrent_calls" reset
either on an interval change or at midnight (new day
ahead). This leads to a possible undetected abuse of
up to 2x your provisioned "cpm", "total_calls" or
"concurrent_calls", if the malicious user places
"limit - 1" events before the reset, followed by
another "limit - 1" events past the reset. If this is
too much for you, then your provisioned limits
(thresholds) are incorrect, and you should simply cut
them in half.</p>
<p>Best regards,</p>
<pre>Liviu Chircu
OpenSIPS Developer
<a href="http://www.opensips-solutions.com/" moz-do-not-send="true">http://www.opensips-solutions.com</a></pre>
<div>On 22.03.2018 09:59, Denis via Users wrote:</div>
<blockquote type="cite"
cite="mid:181311521705588@web5g.yandex.ru">
<div>Hello!</div>
<div> </div>
<div>Is there any idea about the problem?</div>
<div> </div>
<div>Thank you.</div>
<div> </div>
<div>-- </div>
<div>С уважением, Денис.</div>
<div>Best regards, Denis</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>16.03.2018, 15:22, "Denis via Users" <a
href="mailto:users@lists.opensips.org"
moz-do-not-send="true"><users@lists.opensips.org></a>:</div>
<blockquote type="cite">
<div>Hello!</div>
<div> </div>
<div>I am sorry that it was early, but anyway.</div>
<div> </div>
<div>Server:: OpenSIPS (2.2.5 (x86_64/linux))</div>
<div> </div>
<div>Fraud_module has been activated.</div>
<div> </div>
<div>Profile data</div>
<div> </div>
<div><img
src="cid:part6.2C075D81.A09D7ABE@opensips.org"
class=""></div>
<div> </div>
<div>17.02.18 20:55 Opensips received first fraud
call.</div>
<div>And before Opensips detected fraud there were
52 yet calls to 810 prefix.</div>
<div> </div>
<div>First question is why it didn`t detected fraud
early (dialing with total_calls, for example)?</div>
<div> </div>
<div>Then.</div>
<div> </div>
<div>Till the end of 17.02 Opensips blocked the
calls from client to 810, but in 18.02 i can see
success fraud calls to 810 from the client again.</div>
<div> </div>
<div>Second question is why? Opensips resets count
every new day?</div>
<div> </div>
<div>Thank you.</div>
<div> </div>
<div>-- </div>
<div>С уважением, Денис.</div>
<div>Best regards, Denis</div>
<div> </div>
<div> </div>
<div> </div>
,
<p>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
</blockquote>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</div>
,
<p>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
</blockquote>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</div>
,
<p>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>