[Freeswitch-dev] OPTIONS

Trixter aka Bret McDanel trixter at 0xdecafbad.com
Fri Nov 20 03:54:15 PST 2009

On Fri, 2009-11-20 at 11:15 +0000, Suneel Papineni wrote:
> Hi Anthony,
> In case if an application is written to send continuous messages to
> FS, how to stop responding to that IP or stop messages reaching to FS
> from that IP. (like a DoS attack). Is there any provision at FS or do
> we need to take care at network router level with firewall configured
> properly.

freeswitch is a switch and not a firewall.  Because it runs in
userspace, any packet that it gets goes through the kernel to the
application.  It would be better if you did it in the kernel (lower
system load) but also network based problems like DoS attacks should be
done on the network level and not the application level.  

If FS and similar programs had to do the DoS mitigation themselves for a
flood of packets, in order to protect a network you would have to have
several sets of code and it would be a nightmare.  It would be better to
look into it from a network perspective for that reason alone
(presumably FS wont be the only thing on your network, you may have a
database, and other items).

With that in mind, you may want to look at fail2ban which is a linux
iptable script which at least works with asterisk (so it should be able
to be modified to properly work with FS) and it will automagically ban
IPs for too many failed attempts to authenticate or other reasons.  

In addition you can set a threshold in most firewalls (even iptables) of
how many packets per second per IP you allow.  At one time I wrote a
bunch of things on this subject, although I do not think I have them
anymore, but when doing SIP you have to look at the exchange of packets
per call, you may end up with several packets exchanged in a short
period of time just to set up a call, but a generally safe rule of thumb
is 10 packets per second per channel per ip for SIP (not RTP).  RTP can
easily be calculated based on the ptime you are using.  This lets you do
some DoS mitigation.

Trixter http://www.0xdecafbad.com     Bret McDanel
pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721

More information about the FreeSWITCH-dev mailing list