[Asterisk-Users] Recommendation for dialplan in case of DDoS
atta cks?
Kristian Kielhofner
kris at krisk.org
Mon Feb 28 13:20:05 MST 2005
Colin Anderson wrote:
>>How about a combination of GotoIF, and app_dbodbc (or app_db):
>
>
>>exten => 700,1,playback(ddos-on)
>>exten => 700,2,DBput(DDOS/yes)
>
>
>>exten => 701,1,playback(ddos-off)
>>exten => 701,2,DBdel(DDOS/yes)
>
>
>>[mymainaa]
>>exten => s,1,DBGET(TRUE=DDOS/yes)
>>exten => s,2,Do this
>
>
>>exten =) s,102,do something else
>
>
> My comment: Good suggestion, but requires user intervention. I'm lazy and I
> want it to be totally transparent. I'm not avaliable most of the time and
> training someone to do it is not reliable, even my MCSE monkey would have
> trouble figuring out that we are being DoS'd (NOT my hire!)
>
> -and-
>
>
>>Primary * box detects DD0S -> runs:
>
>
>>asterisk -rx "database put PANIC DDOS YES"
>
>
>>and have your dialplan look for that database family/key being set to
>>determine which path it takes.
>
>
>>When the primary * box detects that the DD0S is over -> runs:
>
>
>>asterisk -rx "database del PANIC DDOS"
>
>
> My comment: Better suggestion, and looks to be workable. What would be a
> good way to detect latency? A cron job that pings a known host with, say, 2K
> of data and pipes it back to a shell script? If so, what kind of frequency
> would be considered effective? Every 30 seconds, 1 minute?
His suggestion was basically the same thing, only in mine you would dial
an extension to "activate" DDOS mode instead of running the database put
from the command line.
How about monitoring your hosts with "iax2/sip show peers" and parsing
that output with a cron job? The ping thing looks like it would be more
of a problem than anything else.
OR you could run Snort and have it "detect" the DDOS somehow... Not a
snort expert, but it has to be doable.
Are these inbound or outbound calls? (both?) I am pretty confused
about all of this...
--
Kristian Kielhofner
More information about the asterisk-users
mailing list