[asterisk-dev] Rate limiting traffic to address potential DoS issues?

[Andrew Kohlsmith]

On Saturday 07 October 2006 11:28, Rich Adamson wrote:
> I'd suggest making two important tunable parameters accessible from some
> conf file though;
>   1. number of improper/bogus signaling packet threshold
>   2. amount of time before clearing the able
> Something like... after 10 bogus attempts, add the IP address in the
> table and stop responding. Then after 60 seconds, clear that IP address
> from the table (and start over).

I'd add one more tunable parameter: improper/bogus signaling packet count 
expire time.  i.e. if you have the limit set to 10 bogus packets in 30s, it 
would trip off, but if 9 were received in 30 seconds and at the 32nd second a 
10th would come in, the 1st of the 9 would have "aged out", and thus you'd 
still be at 9 packets.

I thought of %age too, but you'd still need to keep track of the time the 
bogus packet came in so it'd be *additional* code.

I'm thinking specifically about "sort of" broken clients being improperly (and 
regularly) ignored due to too simplistic an algorithm.  SIP's an enormous 
protocol and Asterisk needs to deal with half-assed peers *all* the time.

> Obviously, it would be nice to see some sort of log entry that indicated
> the above action was taken.

TOTALLY.  At a minimum: "received bogus packet from a.b.c.d, count=x, 
threshhold=y", "too many bogus packets from a.b.c.d, ignoring for x seconds", 
and "no longer ignoring peer a.b.c.d"...

-A.