accepted or rejected triggers allocation of one socket. This way you're
still vulnerable to DoS. The perfect solution would be a soft limit at the gk
and a hard limit at firewall, to reject incoming TCP connection requests
above some number of concurrent TCP sessions.
----- Original Message ----- From: "Freddy Parra" <fparra@xxxxxxxxxx>
Sent: Friday, February 25, 2005 6:41 PM
I think if you increase your ulimit to maybe 32768 that will probably prevent it unless you're processing some very high number of calls. Or Gnugk is some how not releasing unused sockets some where along the lines and this is exhausting the socket resources. But I don't think this is the case since I've had Gnugk run for months without restarting.
Another thing that can be done is to check the current total number of calls on the system when a call comes in, and check it against a value that one can create in the configuration section. If the current call total is higher then the configuration value set, then release the call. This part should not be very hard to implement.
For example:
In proxychannel.cxx under function:
bool CallSignalSocket::OnSetup(Q931 &q931pdu, H225_Setup_UUIE &Setup, PString &in_rewrite_id, PString &out_rewrite_id)
{.
.
.
//*****You can modify this line of code
//*****if ( !(useParent || RasSrv->AcceptUnregisteredCalls(fromIP)))
//******Change to this line - By adding this to the end of the if statement RasSrv->CheckTotalCurrentCalls()
//******Then you will have to implement the new function in RasSrv.cxx which checks the value of current calls
//******and compares it to what you have put in the configuration file.
//***Add new line
Bool currentCallsExceeded = false;
if (!(useParent || RasSrv->AcceptUnregisteredCalls(fromIP) || currentCallsExceeded=RasSrv->CheckTotalCurrentCalls()))
{//****If here check currentCallsExceeded to pick correct release code.
If(currentCallsExceeded)
{//***Return back NoRouteToDestination or which ever release code you want to have.
PTRACE(3, "Q931\tNo destination for unregistered call " << callid);
authData.m_rejectCause = Q931::NoRouteToDestination;
rejectCall = true;
}
else
{PTRACE(3, "Q931\tReject unregistered call " << callid);
authData.m_rejectCause = Q931::CallRejected;
rejectCall = true;
}
}
else
{if (Setup.HasOptionalField(H225_Setup_UUIE::e_destCallSignalAddress))
if (RasSrv->GetCallSignalAddress(fromIP) == Setup.m_destCallSignalAddress)
Setup.RemoveOptionalField(H225_Setup_UUIE::e_destCallSignalAddress);
if (H225_TransportAddress *dest = request.Process())
{destFound = true;
calledAddr = *dest;
if (!useParent)
useParent = request.GetFlags() & Routing::SetupRequest::e_toParent;
}
else
{PTRACE(3, "Q931\tNo destination for unregistered call " << callid);
//FP REMOVED BY ME-authData.m_rejectReason = request.GetRejectReason();
authData.m_rejectCause = Q931::NoRouteToDestination;
rejectCall = true;
}
}
Gnugk already supports something very similar to this where you can re-direct the calls to another gatekeeper by configuring
Gnugk to have RedirectGK = Calls > x. But this only works when you're using RAS, before the initial setup message is sent by the endpoint.
The hack I just put up will work when the setup message hits the gatekeeper. So it will work for endpoints that are sending RAS since eventually it
will send a setup message and endpoints that just send direct setup messages. But this will not redirect the call to another gatekeeper but only
terminate the call with the release code that you decide to put.
Another thing that can also be done is that instead of checking CheckTotalCurrentCalls() have it check the total current sockets in use.
I hope this helps, these are some ideas that came to mine.
Freddy
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________________
List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/
