Hello,

On 11/22/11 8:56 PM, Ricardo Martinez wrote:

Hello list.

I’m having some issues with the Kamailio versión 3.2.0.

I want to ask if someone could give some hints how to optimize the performance of my kamailio server.  For some reason and  from time to time the kamailio process start to answer slower than usual, making calls fail and register expires.  I’m still unable to detect the problem, but I want to know of maybe i´m running my kamailio not under the best conditions.

This is part of my configuration :

#!KAMAILIO

#!define FLT_NATS 5

#!define FLB_NATB 6

#!define FLB_NATSIPPING 7

 

# ----------- global configuration parameters ------------------------

 

debug=2  # debug level (cmd line: -dddddddddd)

fork=yes

log_stderror=no    # (cmd line: -E)

log_facility=LOG_LOCAL0

 

children=16

port=5060

memdbg=9

memlog=9

 

 

listen=udp:10.0.10:5060

disable_tcp=yes

server_signature=0

port=5060

 

# ----------------- setting module-specific parameters ---------------

 

## modparam("registrar", "received_avp", "$avp(s:rcv)")

modparam("usrloc", "db_mode", 1)

modparam("auth_db", "calculate_ha1", 1)

modparam("auth_db", "password_column", "password")

modparam("rr", "enable_full_lr", 1)

modparam("auth_db|permissions|uri_db|usrloc","db_url","mysql://openser:openserrw@localhost/openser")

modparam("permissions", "db_mode", 1)

modparam("permissions", "trusted_table", "trusted")

modparam("avpops", "db_url", "mysql://openser:openserrw@localhost/openser")

modparam("avpops", "avp_table", "usr_preferences")

 

modparam("domain", "db_mode", 1)

 

 

# ----- nathelper params -----

modparam("nathelper", "natping_interval", 20)

modparam("nathelper", "ping_nated_only", 1)

modparam("nathelper", "sipping_bflag", FLB_NATSIPPING)

modparam("nathelper", "sipping_from", "sip:pinger@kamailio.org")

 

# params needed for NAT traversal in other modules

modparam("nathelper|registrar", "received_avp", "$avp(RECEIVED)")

modparam("usrloc", "nat_bflag", FLB_NATB)

 

modparam("nathelper","natping_interval", 20)

## modparam("nathelper","received_avp", "$avp(i:42)")

 

modparam("mediaproxy","mediaproxy_socket", "/var/run/mediaproxy/dispatcher.sock")

modparam("mediaproxy", "signaling_ip_avp", "$avp(s:signaling_ip)")

modparam("registrar|nathelper", "received_avp", "$avp(i:80)")

modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo")

 

#modparam("tm", "fr_timer", 3)

 

# ------ dialog params -------

modparam("dialog", "dlg_flag", 4)

modparam("dialog", "profiles_with_value", "caller")

 

# ------ pike params --------

modparam("pike", "sampling_time_unit", 2)

modparam("pike", "reqs_density_per_unit", 25)

modparam("pike", "remove_latency", 4)

 

# ------ rr params --------

modparam("rr", "enable_full_lr", 1)

 

# ----- misc_radius params -----

modparam("misc_radius", "radius_config", "/usr/local/etc/radiusclient-ng/radiusclient.conf")

modparam("misc_radius", "caller_service_type", 18)

modparam("misc_radius", "callee_service_type", 19)

modparam("misc_radius", "caller_extra", "Called-Station-Id=$ru")

modparam("misc_radius", "callee_extra", "Called-Station-Id=$fu")

 

# ---- htable param ---------

modparam("htable", "htable", "a=>size=8;")

modparam("htable", "htable", "ipban=>size=8;autoexpire=300;")

 

modparam("rtimer", "timer", "name=tst;interval=300;mode=1;")

modparam("rtimer", "exec", "timer=tst;route=STATS")

modparam("sqlops","sqlcon",

         "ca=>mysql://openser:openserrw@localhost/openser")

 

#------ uac ---------------

modparam("uac","rr_store_param","my_param")

modparam("uac","from_restore_mode","auto")

modparam("uac","auth_realm_avp","$avp(i:10)")

modparam("uac","auth_username_avp","$avp(i:11)")

modparam("uac","auth_password_avp","$avp(i:12)")

 

 

Beside of this I have syslogd in asyn mode…

This is the info of the kamailio –V

 

version: kamailio 3.2.0 (x86_64/linux) 639f0a

flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, DBG_QM_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES

ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB

poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.

id: 639f0a

compiled on 11:35:43 Oct 28 2011 with gcc 4.5.1

 

I’m using pike to check flood alerts, but I have a white list stored in the “user_preference” table :

I’m using it like this :

route[REQINIT]  {

        # flood dection from same IP and traffic ban for a while

        # be sure you exclude checking trusted peers, such as pstn gateways

        # - local host excluded (e.g., loop to self)

        if( !(avp_db_load("pike", "$avp(ip_origen)") && avp_check("$avp(ip_origen)", "eq/$src_ip/gi")) )

 

#+---------+----------+--------+-----------+----------------+------+---------------------+

#| uuid    | username | domain | attribute | value          | type | modified            |

#+---------+----------+--------+-----------+----------------+------+---------------------+

#| pike    |          |        | ip_origen | 10.0.0.44      |    0 | 2008-01-04 13:24:14 |

#| pike    |          |        | ip_origen | 10.0.0.66      |    0 | 2008-01-04 17:28:59 |

        {

                if($sht(ipban=>$si)!=$null)

                {

                        # ip is already blocked

                        xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)\n");

                        exit;

                }

                if (!pike_check_req())

                {

                        xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)\n");

                        xlog("L_INFO","ALERT: pike blocking from $si\n");

                        $sht(ipban=>$si) = 1;

                        exit;

                }

        }

 

Is this check method too slow? Or intensive in mysql access request??

database access can be a reason for becoming slower. The above operation does a select of the ip addresses in memory and then an iteration to match them with source ip.

You can use benchmark module to try to detect what is slower there -- you can wrap the cfg snipped above in benchmark execution time counting.

IMO, this is not a good solution for preventing DoS, since you hit database even for each malicious request. I would recommend to use permissions module with address table to match trusted IP addresses -- this is doing caching in memory for the list of addresses, thus being very fast and safe in case of attacks. You can reload the list of ip addresses at runtime via MI/RPC without a need to restart the sip server.

Cheers,
Daniel
-- 
Daniel-Constantin Mierla -- http://www.asipto.com
Kamailio Advanced Training, Dec 5-8, Berlin: http://asipto.com/u/kat
http://linkedin.com/in/miconda -- http://twitter.com/miconda