[asterisk-dev] Rate limiting traffic to address potential DoS
issues?
Andrew Kohlsmith
akohlsmith-asterisk at benshaw.com
Sat Oct 7 09:52:34 MST 2006
On Saturday 07 October 2006 11:28, Rich Adamson wrote:
> I'd suggest making two important tunable parameters accessible from some
> conf file though;
> 1. number of improper/bogus signaling packet threshold
> 2. amount of time before clearing the able
> Something like... after 10 bogus attempts, add the IP address in the
> table and stop responding. Then after 60 seconds, clear that IP address
> from the table (and start over).
I'd add one more tunable parameter: improper/bogus signaling packet count
expire time. i.e. if you have the limit set to 10 bogus packets in 30s, it
would trip off, but if 9 were received in 30 seconds and at the 32nd second a
10th would come in, the 1st of the 9 would have "aged out", and thus you'd
still be at 9 packets.
I thought of %age too, but you'd still need to keep track of the time the
bogus packet came in so it'd be *additional* code.
I'm thinking specifically about "sort of" broken clients being improperly (and
regularly) ignored due to too simplistic an algorithm. SIP's an enormous
protocol and Asterisk needs to deal with half-assed peers *all* the time.
> Obviously, it would be nice to see some sort of log entry that indicated
> the above action was taken.
TOTALLY. At a minimum: "received bogus packet from a.b.c.d, count=x,
threshhold=y", "too many bogus packets from a.b.c.d, ignoring for x seconds",
and "no longer ignoring peer a.b.c.d"...
-A.
More information about the asterisk-dev
mailing list