22 Nov
2011
22 Nov
'11
9:56 p.m.
Hello list.
I’m having some issues with the Kamailio versión 3.2.0.
I want to ask if someone could give some hints how to optimize the
performance of my kamailio server. For some reason and from time to time
the kamailio process start to answer slower than usual, making calls fail
and register expires. I’m still unable to detect the problem, but I want
to know of maybe i´m running my kamailio not under the best conditions.
This is part of my configuration :
#!KAMAILIO
#!define FLT_NATS 5
#!define FLB_NATB 6
#!define FLB_NATSIPPING 7
# ----------- global configuration parameters ------------------------
debug=2 # debug level (cmd line: -dddddddddd)
fork=yes
log_stderror=no # (cmd line: -E)
log_facility=LOG_LOCAL0
children=16
port=5060
memdbg=9
memlog=9
listen=udp:10.0.10:5060
disable_tcp=yes
server_signature=0
port=5060
# ----------------- setting module-specific parameters ---------------
## modparam("registrar", "received_avp", "$avp(s:rcv)")
modparam("usrloc", "db_mode", 1)
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "password_column", "password")
modparam("rr", "enable_full_lr", 1)
modparam("auth_db|permissions|uri_db|usrloc","db_url","mysql://openser:openserrw@localhost
/openser")
modparam("permissions", "db_mode", 1)
modparam("permissions", "trusted_table", "trusted")
modparam("avpops", "db_url",
"mysql://openser:openserrw@localhost/openser")
modparam("avpops", "avp_table", "usr_preferences")
modparam("domain", "db_mode", 1)
# ----- nathelper params -----
modparam("nathelper", "natping_interval", 20)
modparam("nathelper", "ping_nated_only", 1)
modparam("nathelper", "sipping_bflag", FLB_NATSIPPING)
modparam("nathelper", "sipping_from",
"sip:pinger@kamailio.org")
# params needed for NAT traversal in other modules
modparam("nathelper|registrar", "received_avp",
"$avp(RECEIVED)")
modparam("usrloc", "nat_bflag", FLB_NATB)
modparam("nathelper","natping_interval", 20)
## modparam("nathelper","received_avp", "$avp(i:42)")
modparam("mediaproxy","mediaproxy_socket",
"/var/run/mediaproxy/dispatcher.sock")
modparam("mediaproxy", "signaling_ip_avp",
"$avp(s:signaling_ip)")
modparam("registrar|nathelper", "received_avp",
"$avp(i:80)")
modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo")
#modparam("tm", "fr_timer", 3)
# ------ dialog params -------
modparam("dialog", "dlg_flag", 4)
modparam("dialog", "profiles_with_value", "caller")
# ------ pike params --------
modparam("pike", "sampling_time_unit", 2)
modparam("pike", "reqs_density_per_unit", 25)
modparam("pike", "remove_latency", 4)
# ------ rr params --------
modparam("rr", "enable_full_lr", 1)
# ----- misc_radius params -----
modparam("misc_radius", "radius_config",
"/usr/local/etc/radiusclient-ng/radiusclient.conf")
modparam("misc_radius", "caller_service_type", 18)
modparam("misc_radius", "callee_service_type", 19)
modparam("misc_radius", "caller_extra",
"Called-Station-Id=$ru")
modparam("misc_radius", "callee_extra",
"Called-Station-Id=$fu")
# ---- htable param ---------
modparam("htable", "htable", "a=>size=8;")
modparam("htable", "htable",
"ipban=>size=8;autoexpire=300;")
modparam("rtimer", "timer",
"name=tst;interval=300;mode=1;")
modparam("rtimer", "exec", "timer=tst;route=STATS")
modparam("sqlops","sqlcon",
"ca=>mysql://openser:openserrw@localhost/openser")
#------ uac ---------------
modparam("uac","rr_store_param","my_param")
modparam("uac","from_restore_mode","auto")
modparam("uac","auth_realm_avp","$avp(i:10)")
modparam("uac","auth_username_avp","$avp(i:11)")
modparam("uac","auth_password_avp","$avp(i:12)")
Beside of this I have syslogd in asyn mode…
This is the info of the kamailio –V
version: kamailio 3.2.0 (x86_64/linux) 639f0a
flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS,
DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC,
DBG_QM_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE,
USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 639f0a
compiled on 11:35:43 Oct 28 2011 with gcc 4.5.1
I’m using pike to check flood alerts, but I have a white list stored in the
“user_preference” table :
I’m using it like this :
route[REQINIT] {
# flood dection from same IP and traffic ban for a while
# be sure you exclude checking trusted peers, such as pstn gateways
# - local host excluded (e.g., loop to self)
if( !(avp_db_load("pike", "$avp(ip_origen)") &&
avp_check("$avp(ip_origen)", "eq/$src_ip/gi")) )
#+---------+----------+--------+-----------+----------------+------+---------------------+
#| uuid | username | domain | attribute | value | type |
modified |
#+---------+----------+--------+-----------+----------------+------+---------------------+
#| pike | | | ip_origen | 10.0.0.44 | 0 |
2008-01-04 13:24:14 |
#| pike | | | ip_origen | 10.0.0.66 | 0 |
2008-01-04 17:28:59 |
{
if($sht(ipban=>$si)!=$null)
{
# ip is already blocked
xdbg("request from blocked IP - $rm from $fu
(IP:$si:$sp)\n");
exit;
}
if (!pike_check_req())
{
xlog("L_ALERT","ALERT: pike blocking $rm from $fu
(IP:$si:$sp)\n");
xlog("L_INFO","ALERT: pike blocking from
$si\n");
$sht(ipban=>$si) = 1;
exit;
}
}
Is this check method too slow? Or intensive in mysql access request??
Hope someone can help me here.
Thanks in advance..
Regards,
*Ricardo Martinez.-*
23 Nov
23 Nov
9:57 a.m.
Hello,
On 11/22/11 8:56 PM, Ricardo Martinez wrote:
Hello list.
I'm having some issues with the Kamailio versión 3.2.0.
I want to ask if someone could give some hints how to optimize the
performance of my kamailio server. For some reason and from time to
time the kamailio process start to answer slower than usual, making
calls fail and register expires. I'm still unable to detect the
problem, but I want to know of maybe i´m running my kamailio not under
the best conditions.
This is part of my configuration :
#!KAMAILIO
#!define FLT_NATS 5
#!define FLB_NATB 6
#!define FLB_NATSIPPING 7
# ----------- global configuration parameters ------------------------
debug=2 # debug level (cmd line: -dddddddddd)
fork=yes
log_stderror=no # (cmd line: -E)
log_facility=LOG_LOCAL0
children=16
port=5060
memdbg=9
memlog=9
listen=udp:10.0.10:5060
disable_tcp=yes
server_signature=0
port=5060
# ----------------- setting module-specific parameters ---------------
## modparam("registrar", "received_avp", "$avp(s:rcv)")
modparam("usrloc", "db_mode", 1)
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "password_column", "password")
modparam("rr", "enable_full_lr", 1)
modparam("auth_db|permissions|uri_db|usrloc","db_url","mysql://openser:openserrw@localhost/openser")
modparam("permissions", "db_mode", 1)
modparam("permissions", "trusted_table", "trusted")
modparam("avpops", "db_url",
"mysql://openser:openserrw@localhost/openser")
modparam("avpops", "avp_table", "usr_preferences")
modparam("domain", "db_mode", 1)
# ----- nathelper params -----
modparam("nathelper", "natping_interval", 20)
modparam("nathelper", "ping_nated_only", 1)
modparam("nathelper", "sipping_bflag", FLB_NATSIPPING)
modparam("nathelper", "sipping_from", "sip:pinger@kamailio.org
<mailto:sip%3Apinger@kamailio.org>")
# params needed for NAT traversal in other modules
modparam("nathelper|registrar", "received_avp",
"$avp(RECEIVED)")
modparam("usrloc", "nat_bflag", FLB_NATB)
modparam("nathelper","natping_interval", 20)
## modparam("nathelper","received_avp", "$avp(i:42)")
modparam("mediaproxy","mediaproxy_socket",
"/var/run/mediaproxy/dispatcher.sock")
modparam("mediaproxy", "signaling_ip_avp",
"$avp(s:signaling_ip)")
modparam("registrar|nathelper", "received_avp",
"$avp(i:80)")
modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo")
#modparam("tm", "fr_timer", 3)
# ------ dialog params -------
modparam("dialog", "dlg_flag", 4)
modparam("dialog", "profiles_with_value", "caller")
# ------ pike params --------
modparam("pike", "sampling_time_unit", 2)
modparam("pike", "reqs_density_per_unit", 25)
modparam("pike", "remove_latency", 4)
# ------ rr params --------
modparam("rr", "enable_full_lr", 1)
# ----- misc_radius params -----
modparam("misc_radius", "radius_config",
"/usr/local/etc/radiusclient-ng/radiusclient.conf")
modparam("misc_radius", "caller_service_type", 18)
modparam("misc_radius", "callee_service_type", 19)
modparam("misc_radius", "caller_extra",
"Called-Station-Id=$ru")
modparam("misc_radius", "callee_extra",
"Called-Station-Id=$fu")
# ---- htable param ---------
modparam("htable", "htable", "a=>size=8;")
modparam("htable", "htable",
"ipban=>size=8;autoexpire=300;")
modparam("rtimer", "timer",
"name=tst;interval=300;mode=1;")
modparam("rtimer", "exec", "timer=tst;route=STATS")
modparam("sqlops","sqlcon",
"ca=>mysql://openser:openserrw@localhost/openser")
#------ uac ---------------
modparam("uac","rr_store_param","my_param")
modparam("uac","from_restore_mode","auto")
modparam("uac","auth_realm_avp","$avp(i:10)")
modparam("uac","auth_username_avp","$avp(i:11)")
modparam("uac","auth_password_avp","$avp(i:12)")
Beside of this I have syslogd in asyn mode...
This is the info of the kamailio --V
version: kamailio 3.2.0 (x86_64/linux) 639f0a
flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, TLS_HOOKS,
USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM,
SHM_MMAP, PKG_MALLOC, DBG_QM_MALLOC, USE_FUTEX,
FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR,
USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 639f0a
compiled on 11:35:43 Oct 28 2011 with gcc 4.5.1
I'm using pike to check flood alerts, but I have a white list stored
in the "user_preference" table :
I'm using it like this :
route[REQINIT] {
# flood dection from same IP and traffic ban for a while
# be sure you exclude checking trusted peers, such as pstn
gateways
# - local host excluded (e.g., loop to self)
if( !(avp_db_load("pike", "$avp(ip_origen)") &&
avp_check("$avp(ip_origen)", "eq/$src_ip/gi")) )
#+---------+----------+--------+-----------+----------------+------+---------------------+
#| uuid | username | domain | attribute | value | type |
modified |
#+---------+----------+--------+-----------+----------------+------+---------------------+
#| pike | | | ip_origen | 10.0.0.44 | 0 |
2008-01-04 13:24:14 |
#| pike | | | ip_origen | 10.0.0.66 | 0 |
2008-01-04 17:28:59 |
{
if($sht(ipban=>$si)!=$null)
{
# ip is already blocked
xdbg("request from blocked IP - $rm from $fu
(IP:$si:$sp)\n");
exit;
}
if (!pike_check_req())
{
xlog("L_ALERT","ALERT: pike blocking $rm from
$fu (IP:$si:$sp)\n");
xlog("L_INFO","ALERT: pike blocking from
$si\n");
$sht(ipban=>$si) = 1;
exit;
}
}
Is this check method too slow? Or intensive in mysql access request??
database access can be a reason for becoming slower. The above operation
does a select of the ip addresses in memory and then an iteration to
match them with source ip.
You can use benchmark module to try to detect what is slower there --
you can wrap the cfg snipped above in benchmark execution time counting.
IMO, this is not a good solution for preventing DoS, since you hit
database even for each malicious request. I would recommend to use
permissions module with address table to match trusted IP addresses --
this is doing caching in memory for the list of addresses, thus being
very fast and safe in case of attacks. You can reload the list of ip
addresses at runtime via MI/RPC without a need to restart the sip server.
Cheers,
Daniel
--
Daniel-Constantin Mierla -- http://www.asipto.com
Kamailio Advanced Training, Dec 5-8, Berlin: http://asipto.com/u/kat
http://linkedin.com/in/miconda -- http://twitter.com/miconda
4748
days inactive
4749
days old
1 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
Ricardo Martinez