Module: sip-router Branch: master Commit: f77093de4f3111cbc7171e61443c7d1c0cee50d0 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f77093d… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Thu Sep 23 18:40:48 2010 +0200 kamailio.cfg: added flood detection - can be enabled via #!define WITH_ANTIFLOOD - uses pike to detect flood and htable to ban the IP for a while --- etc/kamailio.cfg | 41 +++++++++++++++++++++++++++++++++++++++++ 1 files changed, 41 insertions(+), 0 deletions(-) diff --git a/etc/kamailio.cfg b/etc/kamailio.cfg index 0e48dd4..c2ef9e9 100644 --- a/etc/kamailio.cfg +++ b/etc/kamailio.cfg @@ -59,6 +59,11 @@ # - adjust CFGDIR/tls.cfg as needed # - define WITH_TLS # +# *** To enable anti-flood detection execute: +# - adjust pike and htable=>ipban settings as needed (default is +# block if more than 16 requests in 2 seconds and ban for 300 seconds) +# - define WITH_ANTIFLOOD +# # *** To enhance accounting execute: # - enable mysql # - define WITH_ACCDB @@ -223,6 +228,11 @@ loadmodule "rtpproxy.so" loadmodule "tls.so" #!endif +#!ifdef WITH_ANTIFLOOD +loadmodule "htable.so" +loadmodule "pike.so" +#!endif + # ----------------- setting module-specific parameters --------------- @@ -353,6 +363,16 @@ modparam("usrloc", "nat_bflag", FLB_NATB) modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg") #!endif +#!ifdef WITH_ANTIFLOOD +# ----- pike params ----- +modparam("pike", "sampling_time_unit", 2) +modparam("pike", "reqs_density_per_unit", 16) +modparam("pike", "remove_latency", 4) + +# ----- htable params ----- +# ip ban htable with autoexpire after 5 minutes +modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") +#!endif ####### Routing Logic ######## @@ -450,6 +470,27 @@ route[RELAY] { # Per SIP request initial checks route[REQINIT] { +#!ifdef WITH_ANTIFLOOD + # flood dection from same IP and traffic ban for a while + # be sure you exclude checking trusted peers, such as pstn gateways + # - local host excluded (e.g., loop to self) + if(src_ip!=myself) + { + if($sht(ipban=>$si)!=$null) + { + # ip is already blocked + xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)\n"); + exit; + } + if (!pike_check_req()) + { + xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)\n"); + $sht(ipban=>$si) = 1; + exit; + } + } +#!endif + if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit;