An interesting topic :)
I was discussing that with a colleague of mine, and came out with a possible
solution. On Linux iptables firewall can be used to restrict the maximum
number of connections / calls from a particular IP, or maximum call attempts
per second / per IP.
On Saturday 26 February 2005 16:48, Zygmuntowicz Michal wrote:
> Note that this is only a partial solution, each incoming call, no matter
> accepted or rejected triggers allocation of one socket. This way you're
> still vulnerable to DoS. The perfect solution would be a soft limit at the
> gk
> and a hard limit at firewall, to reject incoming TCP connection requests
> above some number of concurrent TCP sessions.
>
> ----- Original Message -----
> From: "Freddy Parra" <fparra@xxxxxxxxxx>
> Sent: Friday, February 25, 2005 6:41 PM
>
>
> I think if you increase your ulimit to maybe 32768 that will probably
> prevent it unless you're processing some very high number of calls. Or
> Gnugk is some how not releasing unused sockets some where along the
> lines and this is exhausting the socket resources. But I don't think
> this is the case since I've had Gnugk run for months without restarting.
>
> Another thing that can be done is to check the current total number of
> calls on the system when a call comes in, and check it against a value
> that one can create in the configuration section. If the current call
> total is higher then the configuration value set, then release the call.
> This part should not be very hard to implement.
>
> For example:
>
>
>
> In proxychannel.cxx under function:
>
>
>
> bool CallSignalSocket::OnSetup(Q931 &q931pdu, H225_Setup_UUIE &Setup,
> PString &in_rewrite_id, PString &out_rewrite_id)
>
> {
>
>
>
>
>
> .
>
> .
>
> .
>
>
>
> //*****You can modify this line of code
>
> //*****if ( !(useParent || RasSrv->AcceptUnregisteredCalls(fromIP)))
>
>
>
> //******Change to this line - By adding this to the end of the if
> statement RasSrv->CheckTotalCurrentCalls()
>
> //******Then you will have to implement the new function in
> RasSrv.cxx which checks the value of current calls
>
> //******and compares it to what you have put in the configuration
> file.
>
>
>
> //***Add new line
>
> Bool currentCallsExceeded = false;
>
> if (!(useParent || RasSrv->AcceptUnregisteredCalls(fromIP) ||
> currentCallsExceeded=RasSrv->CheckTotalCurrentCalls()))
>
>
>
>
>
> {
>
> //****If here check currentCallsExceeded to pick correct release
> code.
>
> If(currentCallsExceeded)
>
> {
>
> //***Return back NoRouteToDestination or which ever release
> code you want to have.
>
> PTRACE(3, "Q931\tNo destination for unregistered call " <<
> callid);
>
> authData.m_rejectCause = Q931::NoRouteToDestination;
>
> rejectCall = true;
>
> }
>
> else
>
> {
>
> PTRACE(3, "Q931\tReject unregistered call " << callid);
>
> authData.m_rejectCause = Q931::CallRejected;
>
> rejectCall = true;
>
> }
>
> }
>
> else
>
> {
>
> if
> (Setup.HasOptionalField(H225_Setup_UUIE::e_destCallSignalAddress))
>
> if (RasSrv->GetCallSignalAddress(fromIP) ==
> Setup.m_destCallSignalAddress)
>
>
> Setup.RemoveOptionalField(H225_Setup_UUIE::e_destCallSignalAddress);
>
>
>
> if (H225_TransportAddress *dest =
> request.Process())
>
> {
>
> destFound = true;
>
> calledAddr = *dest;
>
>
>
> if (!useParent)
>
> useParent = request.GetFlags() &
> Routing::SetupRequest::e_toParent;
>
> }
>
> else
>
> {
>
> PTRACE(3, "Q931\tNo destination for
> unregistered call " << callid);
>
> //FP REMOVED BY ME-authData.m_rejectReason
> = request.GetRejectReason();
>
> authData.m_rejectCause =
> Q931::NoRouteToDestination;
>
> rejectCall = true;
>
> }
>
> }
>
> Gnugk already supports something very similar to this where you can
> re-direct the calls to another gatekeeper by configuring
>
> Gnugk to have RedirectGK = Calls > x. But this only works when you're
> using RAS, before the initial setup message is sent by the endpoint.
>
> The hack I just put up will work when the setup message hits the
> gatekeeper. So it will work for endpoints that are sending RAS since
> eventually it
>
> will send a setup message and endpoints that just send direct setup
> messages. But this will not redirect the call to another gatekeeper but
> only
>
> terminate the call with the release code that you decide to put.
>
> Another thing that can also be done is that instead of checking
> CheckTotalCurrentCalls() have it check the total current sockets in use.
>
> I hope this helps, these are some ideas that came to mine.
>
> Freddy
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>
> _______________________________________________________
>
> List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
> Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549
> Homepage: http://www.gnugk.org/
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________________
List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549
Homepage: http://www.gnugk.org/
