[r10190]: trunk / modules / pike / doc / pike_admin.xml Maximize Restore History

Download this file

pike_admin.xml    310 lines (296 with data), 8.3 kB

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
<!-- Module User's Guide -->
<chapter>
<title>&adminguide;</title>
<section>
<title>Overview</title>
<para>
The module provides a simple mechanism for DOS protection - DOS based
on floods at network level. The module keeps trace of all (or selected
ones) IPs of incoming SIP traffic (as source IP) and blocks the ones
that exceeded some limit.
Works simultaneous for IPv4 and IPv6 addresses.
</para>
<para>
The module does not implement any actions on blocking - it just simply
reports that there is a high traffic from an IP; what to do, is
the administator decision (via scripting).
</para>
</section>
<section>
<title>How to use</title>
<para>
There are 2 ways of using this module (as detecting flood attacks and
as taking the right action to limit the impact on the system):
<itemizedlist>
<listitem>
<para>
<emphasis>manual</emphasis> - from routing script you can force
the check of the source IP of an incoming requests, using
"pike_check_req" function. Note that this checking works only
for SIP requests and you can decide (based on scripting logic)
what source IPs to be monitored and what action to be taken
when a flood is detected.
</para>
</listitem>
<listitem>
<para>
<emphasis>automatic</emphasis> - the module will install
internal hooks to catch all incoming requests and replies (even
if not well formed from SIP point of view) - more or less the
module will monitor all incoming packages (from the network) on
the SIP sockets. Each time the source IP of a package needs to
be analyse (to see if trusted or not), the module will run a
script route - see "check_route" module parameter -, where,
based on custom logic, you can decide if that IP needs to be
monitored for flooding or not. As action, when flood is
detected, the module will automatically drop the packages.
</para>
</listitem>
</itemizedlist>
</para>
</section>
<section>
<title>Dependencies</title>
<section>
<title>&osips; Modules</title>
<para>
The following modules must be loaded before this module:
<itemizedlist>
<listitem>
<para>
<emphasis>No dependencies on other &osips; modules</emphasis>.
</para>
</listitem>
</itemizedlist>
</para>
</section>
<section>
<title>External Libraries or Applications</title>
<para>
The following libraries or applications must be installed before
running &osips; with this module loaded:
<itemizedlist>
<listitem>
<para>
<emphasis>None</emphasis>.
</para>
</listitem>
</itemizedlist>
</para>
</section>
</section>
<section>
<title>Exported Parameters</title>
<section>
<title><varname>sampling_time_unit</varname> (integer)</title>
<para>
Time period used for sampling (or the sampling accuracy ;-) ). The
smaller the better, but slower. If you want to detect peaks, use a
small one. To limit the access (like total number of requests on a
long period of time) to a proxy resource (a gateway for ex), use
a bigger value of this parameter.
</para>
<para>
IMPORTANT: a too small value may lead to performance penalties due
timer process overloading.
</para>
<para>
<emphasis>
Default value is 2.
</emphasis>
</para>
<example>
<title>Set <varname>sampling_time_unit</varname> parameter</title>
<programlisting format="linespecific">
...
modparam("pike", "sampling_time_unit", 10)
...
</programlisting>
</example>
</section>
<section>
<title><varname>reqs_density_per_unit</varname> (integer)</title>
<para>
How many requests should be allowed per sampling_time_unit before
blocking all the incoming request from that IP. Practically, the
blocking limit is between ( let's have x=reqs_density_per_unit) x
and 3*x for IPv4 addresses and between x and 8*x for ipv6 addresses.
</para>
<para>
<emphasis>
Default value is 30.
</emphasis>
</para>
<example>
<title>Set <varname>reqs_density_per_unit</varname> parameter</title>
<programlisting format="linespecific">
...
modparam("pike", "reqs_density_per_unit", 30)
...
</programlisting>
</example>
</section>
<section>
<title><varname>remove_latency</varname> (integer)</title>
<para>
For how long the IP address will be kept in memory after the last
request from that IP address. It's a sort of timeout value.
</para>
<para>
<emphasis>
Default value is 120.
</emphasis>
</para>
<example>
<title>Set <varname>remove_latency</varname> parameter</title>
<programlisting format="linespecific">
...
modparam("pike", "remove_latency", 130)
...
</programlisting>
</example>
</section>
<section>
<title><varname>check_route</varname> (integer)</title>
<para>
The name of the script route to be triggers (in automatic way) when a
package is received from the network. If you do a "drop" in this route,
it will indicate to the module that the source IP of the package does
not need to be monitored. Otherwise, the source IP will be
automatically monitered.
</para>
<para>
By defining this parameter, the automatic checking mode is enabled.
</para>
<para>
<emphasis>
Default value is NONE (no auto mode).
</emphasis>
</para>
<example>
<title>Set <varname>check_route</varname> parameter</title>
<programlisting format="linespecific">
...
modparam("pike", "check_route", "pike")
...
route[pike]{
if (src_ip==111.222.111.222) /*trusted, do not check it*/
drop;
/* all other IPs are checked*/
}
....
</programlisting>
</example>
</section>
<section>
<title><varname>pike_log_level</varname> (integer)</title>
<para>
Log level to be used by module to auto report the blocking (only first
time) and unblocking of IPs detected as source of floods.
</para>
<para>
<emphasis>
Default value is 1 (L_WARN).
</emphasis>
</para>
<example>
<title>Set <varname>pike_log_level</varname> parameter</title>
<programlisting format="linespecific">
...
modparam("pike", "pike_log_level", -1)
...
</programlisting>
</example>
</section>
</section>
<section>
<title>Exported Functions</title>
<section>
<title>
<function moreinfo="none">pike_check_req()</function>
</title>
<para>
Process the source IP of the current request and returns false if
the IP was exceeding the blocking limit.
</para>
<para>
Return codes:
<itemizedlist>
<listitem>
<para>
<emphasis>1 (true)</emphasis> - IP is not to be blocked or
internal error occured.
</para>
<warning>
IMPORTANT: in case of internal error, the function returns true to
avoid reporting the current processed IP as blocked.
</warning>
</listitem>
<listitem>
<para>
<emphasis>-1 (false)</emphasis> - IP is source of
flooding, being previously detected
</para>
</listitem>
<listitem>
<para>
<emphasis>-2 (false)</emphasis> - IP is detected as a new
source of flooding - first time detection
</para>
</listitem>
</itemizedlist>
</para>
<para>
This function can be used from REQUEST_ROUTE.
</para>
<example>
<title><function>pike_check_req</function> usage</title>
<programlisting format="linespecific">
...
if (!pike_check_req()) { exit; };
...
</programlisting>
</example>
</section>
</section>
<section>
<title>Exported MI Functions</title>
<section>
<title>
<function moreinfo="none">pike_list</function>
</title>
<para>
Lists the nodes in the pike tree.
</para>
<para>
Name: <emphasis>pike_list</emphasis>
</para>
<para>Parameters: <emphasis>none</emphasis></para>
<para>
MI FIFO Command Format:
</para>
<programlisting format="linespecific">
:pike_list:_reply_fifo_file_
_empty_line_
</programlisting>
</section>
</section>
<section>
<title>Exported Events</title>
<section>
<title>
<function moreinfo="none">E_PIKE_BLOCKED</function>
</title>
<para>
This event is raised when the <emphasis>pike</emphasis> module
decides that an IP should be blocked.
</para>
<para>Parameters:</para>
<itemizedlist>
<listitem><para>
<emphasis>ip</emphasis> - the IP address that has been blocked.
</para></listitem>
</itemizedlist>
</section>
</section>
</chapter>