<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Régis,<div>We currently use openvz. Previously we used Xen and then BSD jails. Every one has their ups and downs. As many people will tell you, timing is critical in VoIP applications and by using OpenVZ there is only one kernel loaded and the VMs all run bare metal. This is a much more efficient way of running several VMs if they are all of a similar OS because you don't need to waste a bunch of RAM and CPU cycles just loading 30 copied of the kernel into memory and dealing with paging etc.. Also this makes administration much easier because of separate filesystems for each VM, the root of each VM is located somewhere in the host's filesystem. This is a big plus when you go to back up your hardware node. What we do is put all the VMs on an LVM partition, make a snapshot and use rsync to back up just the changes. It was a major pain with several independent LVM partitions or "virtual" file based partitions in Xen. KVM or any true virt platform would require the same, a dedicated partition for each VM. And CPU scaling works well with openvz allowing us to save on the electric bill and cooling costs. The downside is if there is a kernel panic, its one kernel and the whole world goes with it. BSD Jails was cool but didn't allow the per client resource control we were looking for. Our experience with openvz has been solid with a couple of machines up well over a year. We currently use Centos but we've modified it to the point where its basically our own in house distro with updates to some of the core packages since RH stays so far behind. (for good measure :-)) This allows us to pick and choose which packages we'd like to update and we make available our own repo which a simple yum update pulls down everything from a local mirror. If you are interested: <a href="http://repo.5ninesolutions.com">http://repo.5ninesolutions.com</a>. Having said that, there is a lot of time that goes into maintaining some of the out of distro stuff so we are currently looking at something that stays a little more current.. I.e. RH 6 has been out since Nov and I haven't seen a beta for Centos 6.. but thats a whole can of worms.. </div><div><br></div><div>Spencer</div><div><br></div><div><br><div><div>On Feb 20, 2011, at 11:35 PM, Régis MARTIN wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Hi Spencer,<div><br></div><div>>We run hosted Freeswitch instances in VMs<div>Nothing related with your question, but can you say me what hypervisor do you use to run freeswitch virtualized (VMware ? KVM ? Xen? OpenVZ ? other .. ?). ?</div> <div>What's is your linux distrib under too ?</div><div><br></div><div>I'm looking to virtualize some of mine under KVM and I wonder if it works like standard host and looking to similar experience. </div><div><br> </div><div>Thanks in advance if you could confirm that to me.</div><div><br></div><div>Regards,</div><div><br><br><div class="gmail_quote">2011/2/21 Spencer Thomason <span dir="ltr"><<a href="mailto:spencer@5ninesolutions.com">spencer@5ninesolutions.com</a>></span><br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi,<br> We run hosted Freeswitch instances in VMs with the internal profile on<br> port 5060 connecting to clients mostly behind NAT and then the<br> external profile connecting to our proxies only. Protecting the<br> external profile its straightforward.. we only allow traffic to/from<br> our proxies at the firewall level. But protecting the internal<br> profile seems to be a bit more difficult because the UACs could be<br> theoretically anywhere on the network.<br> <br> I'm currently using Fail2Ban to prevent brute force registration and<br> INVITEs on auth failures, e.g.:<br> failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\)<br> on sofia profile \'\w+\' for \[.*\] from ip <HOST><br> \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\)<br> on sofia profile \'\w+\' for \[.*\] from ip <HOST><br> <br> My question is, since its part of a normal SIP dialog to challenge the<br> INVITE, is there any way to prevent a possible DoS from just sheer<br> volume of incoming INVITEs on an Internet facing server<br> automatically. I.e., If you block the logged challenge, you'd block<br> all legitimate INVITEs and registrations. Since its UDP traffic I<br> couldn't come up with a way to do it automatically at the iptables<br> level. i.e. number of concurrent connections. Is there some option to<br> just not respond if a client is sending a number of requests over a<br> certain threshold? It might not stop them from sending the traffic<br> but pretty soon they'd get the idea that it wasn't going to go<br> anywhere. My concern is say there are 50 Freeswitch instances on a<br> box (albeit 8 core, 32GB ram, 8 15K raid 10 storage) and someone<br> starts sending thousands of rouge INVITEs to every VM on a physical<br> box that the CPU load from just challenging the incoming INVITEs would<br> create a DoS. We the logs regularly to try to catch people doing this<br> sort of thing and drop them at a router upstream of the core network,<br> but I'd like to have it happen without human intervention. Have I<br> completely over thought this and am missing something obvious?<br> <br> Thanks,<br> Spencer<br> <br> <br> _______________________________________________<br> FreeSWITCH-users mailing list<br> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br> </blockquote></div><br></div></div></blockquote></div><br></div></body></html>