[Freeswitch-users] INVITE DoS Prevention
steveayre at gmail.com
Wed Feb 23 19:02:27 MSK 2011
That's be within the Sofia stack and it had to acknowledge the INVITE with a
100 Trying otherwise the INVITE either resends or gives up the same as a
packet drop. Sleeping would mean keeping the INVITE in memory for longer
while starting the session before accepting/rejecting it, increasing memory
usage under a DOS attack and therefore making FS fall over faster. It'd also
increase the complexity of the code starting up a session while it puts new
invites aside and schedules them to be processed shortly afterwards. You
couldn't just do a sleep as it'd probably lock Sofia up. Doesn't seem worth
Iptables is a much better way of handling it. You can rate limit per-host.
On 23 February 2011 15:10, mazilo <Nabble at slickdeals.endjunk.com> wrote:
> jay binks wrote:
> > as for rate-limiting responses you can have iptables drop packets over X
> > number of invites per sec ...
> Just a thought. Perhaps, we should contemplate to add a feature on FS to
> maximum of invites/sec/host. When the invites max out, add some sleep to
> slow down the response to the requested host. This will probably slow down
> the bot, especially if the bot is trying to hit a lot of FS servers out
> FreeSWITCH hosted on a Seagate DockStar with OpenWRT.
> View this message in context:
> Sent from the freeswitch-users mailing list archive at Nabble.com.
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the FreeSWITCH-users