On 10/26/10 5:34 PM, "Nicolas RĂ¼ger" wrote:
Hello,
thank you. I see the problem with the worker processes now. I had a look at PIKE module
and RATELIMIT module as well.
My idea was to delay the call WITHOUT sending any reply-message to the caller, as I
wanted to save performance and I can identify suspicios users by a reputation that I
compute before.
It seems the only way to do so, might be to store the INVITE information somewhere and
keep on routing it again after a certain timeout.
Do you agree?
there is support in the code to suspend the transaction and resume
the
processing, iirc, look in tm module for t_suspend() function.
Right now you can do following:
- set timeout to 30 sec
- set failure route timeout
- send the invite via udp to a invalid destination (e.g., your ip port 9)
- when the 30sec will pass, the failure route timeout will be executed
and you can do further routing.
Drawbacks - for the 30sec tm will do retransmission. To avoid that, run
another kamailio on a different port where you send the invite and reply
back 100 trying so first kamailio stops the retransmission.
Cheers,
Daniel
Regards,
Nicolas
On 10/26/2010 05:09 PM, Alex Balashov wrote:
> Pike or ratelimit modules may facilitate this; otherwise, no.
>>
> Hello, It is not a good design practice to do it synchronously, mainly
> because the worker process will remain blocked for 30s . Imagine an
> attacker sending 30 requests and DoS the whole server , because of the
> limited number of worker process (not to mention that 30s delay means
> retrasmits from the TM layer- so these need to be handled by tm before
> the "sleep").
>
> Anyway I wouldn't recommend a design like this. As others suggested
> pike and ratelimite (mostly ratelimit) will allow you to drop calls from
> attackers. You could add a Retry-After header so to inform a normal UA
> to retry the request after a number of seconds.
>
> Marius
--
Daniel-Constantin Mierla
http://www.asipto.com