[asterisk-dev] Rate limiting traffic to address potential DoS issues?

Jared Smith jaredsmith at jaredsmith.net
Wed Sep 27 07:22:51 MST 2006


On 9/26/06, Steven <critch at basesys.com> wrote:
>
> No, apache won't die. Apache will stop answering new requests till a
> child process is able to process the request.


Steven makes an important point here -- Apache has some tunable parameters
that allow you to set it's behavior, depending on your circumstances.  In
the case of Asterisk, we should have a couple of knobs we can tweak to
control how Asterisk handles a high number of incoming connections, whether
they're just a traffic spike or a DoS attack.

I know that other VoIP vendors claim they can handle X number of invalid
connections per second while still keeping all the legitimate calls working
-- I'd obviously like to see Asterisk do the same (for reasonable values of
X, of course).  Unfortunately, in the limited load testing I've done with
Asterisk (specifically in the SIP channel), when you start to send more than
a few incoming calls per second, Asterisk starts to freak out; namely, it
responds to the wrong packets, sends multiple replies, and/or crashes.

I know I talked to several people about this at VON -- does anybody have a
lead on some good high-end VoIP call generators we can use to test Asterisk
and make it better?

-Jared
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-dev/attachments/20060927/7da1b028/attachment.htm


More information about the asterisk-dev mailing list