{"id":1275,"date":"2019-05-13T13:18:53","date_gmt":"2019-05-13T08:18:53","guid":{"rendered":"http:\/\/alexeyka.zantsev.com\/?p=1275"},"modified":"2021-03-17T17:01:20","modified_gmt":"2021-03-17T12:01:20","slug":"opensips-ratelimit-with-dynamically-changed-value","status":"publish","type":"post","link":"https:\/\/alexeyka.zantsev.com\/?p=1275","title":{"rendered":"OpenSIPS: ratelimit with dynamically changeable value"},"content":{"rendered":"\n<div class=\"wp-block-image\"><figure class=\"alignright is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/alexeyka.zantsev.com\/wp-content\/uploads\/2019\/05\/voip_security.png\" alt=\"\" class=\"wp-image-1293\" width=\"161\" height=\"138\"\/><\/figure><\/div>\n\n\n\n<p>This note will instruct you how to protect each DID number connected to your OpenSIPS from SIP DDoS,  limiting <em>not the total<\/em> amount of INVITE requests going to your OpenSIPS server, but only INVITEs to some certain RURI.<\/p>\n\n\n\n<p>Check it out, I hope you like it!<\/p>\n\n\n\n<p> This is useful when you have a plenty of SIP numbers (DIDs) connected to your server and each one accepts inbound calls, e.g. a call centre or a taxi ordering service, etc. And you have to check each destination and drop too much requests, without degradation of any other incoming calls.<\/p>\n\n\n\n<p>This is a nice solution to prevent the situation <a href=\"https:\/\/alexeyka.zantsev.com\/?p=1271\" target=\"_blank\" rel=\"noreferrer noopener\">seen on the graph<\/a> in the previous post.<\/p>\n\n\n\n<p>PS: clustering support is not described here.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    loadmodule \"ratelimit.so\"\t\t     # no deps\n    modparam(\"ratelimit\", \"window_size\", 2)  # ban timeout, sec\n<\/code><\/pre>\n\n\n\n<p>Add start limit value to the startup_route:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    startup_route {\n    \tcache_store(\"local\", \"inc:rl\", \"8\");\n    }<\/code><\/pre>\n\n\n\n<p>Somewhere in the initial INVITE section:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># AntiDDoS for each inbound call\nif($si !~ \"^10\\..*\") {\n    cache_fetch(\"local\", \"inc:rl\", $var(rl));\n        # $var(rl) invites\/sec going to each $rU.\n        # SBT is the most precise policy.\n        if (!rl_check(\"pipe_$rU\", \"$(var(rl){s.int})\", \"SBT\")) {          \n            sl_send_reply(\"503\", \"Service Unavailable. AntiDDoS\");\n            xlog(\"L_INFO\", \"call $ci from $fU@$si:$sp to $oU@$Ri drp by rl\");\n            exit;\n        };\n};\n<\/code><\/pre>\n\n\n\n<p>Live statistics:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>voip-sipgw01 opensips # opensipsctl fifo rl_list\nPIPE::  id=pipe_9618688830 algorithm=SBT limit=8 counter=0\nPIPE::  id=pipe_9020578345 algorithm=SBT limit=8 counter=0\nPIPE::  id=pipe_9611157347 algorithm=SBT limit=8 counter=0\nPIPE::  id=pipe_79190224444 algorithm=SBT limit=8 counter=0\n...\nPIPE::  drop_rate=581<\/code><\/pre>\n\n\n\n<p>Change the limit on the fly up to 10 INVITES to each $rU:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>opensipsctl fifo cache_store local inc:rl 10<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>This note will instruct you how to protect each DID number connected to your OpenSIPS from SIP DDoS, limiting not the total amount of INVITE requests going to your OpenSIPS server, but only INVITEs to some certain RURI. Check it out, I hope you like it! This is useful when you have a plenty of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[251,250,208,249],"class_list":["post-1275","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-antiddos","tag-ddos","tag-opensips","tag-ratelimit"],"_links":{"self":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts\/1275","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1275"}],"version-history":[{"count":27,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts\/1275\/revisions"}],"predecessor-version":[{"id":5066,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts\/1275\/revisions\/5066"}],"wp:attachment":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1275"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}