Overview
A new functionality that allows sipXecs to detect DoS attacks and prevent it from crashing the system is available starting with version 4.6. This new Call Rate Limit functionality can be configured from config UI by navigating to System > Call Rate Limit
Call Rate Limit Settings
Packet Rate Counter
The algorithm is a simple packet rate counter that measures the number of packets received per second. A certain threshold can be set via the web UI on what the threshold limit is. The current default is 100 packets per second.
This can be adjusted based on the actual traffic intensity or lack thereof in a particular deployment. A threshold violation triggers an Alarm to be raised so that administrators get a notification when the threshold is reach and if they need to increase it.
Violation Rate
On top of the rate counter, the transport layer also maintains a dynamic map of the IP addresses that sent packets to sipXecs. If a threshold violation is reached, this map will be consulted and see if a certain IP is responsible for a certain percentage of the total packets received. The current default for this is 50 packets. Thus, we can say that the rate limit ratio is 50/100.
If the transport pinpoints a particular IP sends more than or equal to 50, the particular IP will be banned from ever sending any packets to sipXecs until such time it is granted a parole by the system.
Penalty Period
The lifetime by which a particular IP is banned from the system is also configurable. The current default is 3600 seconds or 1 hour. After an IP address is banned, it will be released from the transport jail and would be allowed again to send traffic to sipXecs until such time it again violates the rate ratio.
White List
There are instances when predictive dialers for call centers are deployed within the network and might be misinterpreted by the ratelimit procedure as a DoS attacker. To allow friendly rate violators from ever getting jailed, a white list is also provided by the config to tell sipXecs who the friendlies are and would be granted immunity.
Black List
If that is not enough, a black list is also provided so that you can simply copy and paste IP addresses of known attackers to permanently ban them from ever sending packets to sipXecs.