Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

A new functionality that allows sipXecs the detect DoS attacks and prevent it from crashing the system is available starting with version 4.6.

Packet Rate Counter

The algorithm is a simple packet rate counter that measures the number of packets received per second. A certain threshold can be set via the web UI on what the threshold limit is. The current default is 100 packets per second.
This can be adjusted based on the actual traffic intensity or lack thereof in a particular deployment. A threshold violation triggers an
Alarm to be raised so that administrators get a notification when the threshold is reach and if they need to increase it.

Violation Rate

On top of the rate counter, the transport layer also maintains a dynamic map of the IP addresses that sent packets to sipXecs. If a threshold violation is reached, this map will be consulted and see if a certain IP is responsible for a certain percentage of the total packets received. The current default for this is 50 packets. Thus, we can say that the rate limit ratio is 50/100.
If the transport pinpoints a particular IP sends more than or equal to 50, the particular IP will be banned from ever sending any packets to sipXecs until such time it is granted a parole by the system.

Penalty Period

The lifetime by which a particular IP is banned from the system is also configurable. The current default is 3600 seconds or 1 hour. After an IP address is banned, it will be released from the transport jail and would be allowed again to send traffic to sipXecs until such time it
again violates the rate ratio.

White List

There are instances when predictive dialers for call centers are deployed within the network and might be misinterpreted by the ratelimit
procedure as a DoS attacker. To allow friendly rate violators from ever getting jailed, a white list is also provided by the config to tell
sipXecs who the friendlies are and would be granted immunity.

Black List

If that is not enough, a black list is also provided so that you can simply copy and paste IP addresses of known attackers to permanently ban them from ever sending packets to sipXecs.