KAZOO-4014 antiflood

kamailio/antiflood-role.cfg

@@ -1,11 +1,16 @@
+
 #!trydef ANTIFLOOD_RATE_WINDOW 2
 #!trydef ANTIFLOOD_RATE_DENSITY 50
 #!trydef ANTIFLOOD_RATE_EXPIRE 4
 #!trydef ANTIFLOOD_FAILED_AUTH_WINDOW 300
 #!trydef ANTIFLOOD_FAILED_AUTH_DENSITY 4
 
+#!ifndef ANTIFLOOD_CACHE_PERIOD
+#!substdef "!ANTIFLOOD_CACHE_PERIOD!600!g"
+#!endif
+
 ######## Flood Prevention Hash Tables ########
-modparam("htable", "htable", "failed_auth_hash=>size=16;autoexpire=3600;")
+modparam("htable", "htable", "antiflood=>size=16;autoexpire=ANTIFLOOD_CACHE_PERIOD;initval=0")
 
 ######## Flood Prevention Module ########
 loadmodule "pike.so"
@@ -35,29 +40,26 @@ route[ANITFLOOD_AUTH_LIMIT]
     }
 
     if ($Au != $null &&
-        $sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY
+        $sht(antiflood=>$Au::$si::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY
     ) {
-        $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
-        if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
-            xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
-            append_to_reply("Retry-After: 3600\r\n");
-            sl_send_reply("500", "Retry Later");
-            exit;
-        } else {
-            $sht(failed_auth_hash=>$Au::count) = 0;
-        }
+        xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
+        $shtex(antiflood=>$Au::$si::count) = ANTIFLOOD_FAILED_AUTH_WINDOW;
+        $sht(antiflood=>$Au::$si::last) = $Ts;
+        append_to_reply("Retry-After: 3600\r\n");
+        send_reply("500", "Retry Later");
+        exit;
     }
 }
 
 route[ANTIFLOOD_SUCCESSFUL_AUTH]
 {
-    if ($Au != $null && $sht(failed_auth_hash=>$Au::count) != $null) {
-        $sht(failed_auth_hash=>$Au::count) = $null;
-    }
+    sht_rm_name_re("antiflood=>$(Au{re.subst,/\\./\\\\./g})::$(si{re.subst,/\\./\\\\./g})::.*");
+}
 
-    if ($Au != $null && $sht(failed_auth_hash=>$Au::last) != $null) {
-        $sht(failed_auth_hash=>$Au::last) = $null;
-    }
+route[ANTIFLOOD_RESET_AUTH]
+{
+    $var(user) = "sip:" + $(kzE{kz.json,Username}) + "@" + $(kzE{kz.json,Realm});
+    sht_rm_name_re("antiflood=>$(var(user){re.subst,/\\./\\\\./g})::.*");
 }
 
 route[ANITFLOOD_FAILED_AUTH]
@@ -66,22 +68,23 @@ route[ANITFLOOD_FAILED_AUTH]
         return;
     }
 
-    if($sht(failed_auth_hash=>$Au::count) == $null) {
-        $sht(failed_auth_hash=>$Au::count) = 0;
-    }
-
-    $sht(failed_auth_hash=>$Au::count) = $sht(failed_auth_hash=>$Au::count) + 1;
-    $sht(failed_auth_hash=>$Au::last) = $Ts;
+    $var(count) = $shtinc(antiflood=>$Au::$si::count);
+    $sht(antiflood=>$Au::$si::last) = $Ts;
 
-    xlog("L_INFO", "$ci|log|$sht(failed_auth_hash=>$Au::count) errounous authorization response for $Au $si:$sp");
+    xlog("L_INFO", "$ci|log|$var(count) errounous authorization response for $Au $si:$sp");
 
-   if ($sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) { 
+   if ($var(count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) { 
         $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
-        if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
+        if($sht(antiflood=>$Au::$si::last) > $var(exp)){
             xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
             append_to_reply("Retry-After: 3600\r\n");
-            sl_send_reply("500", "Retry Later");
+            send_reply("500", "Retry Later");
             exit;
         }
   }
 }
+
+event_route[htable:expired:antiflood] 
+{
+    xlog("L_NOTICE", "antiflood expired record $shtrecord(key) => $shtrecord(value)\n");
+}

kamailio/registrar-role.cfg

@@ -205,6 +205,11 @@ event_route[kazoo:consumer-event-directory-reg-flush]
         xlog("L_INFO", "log|removing SIP credentials cache for $var(user)");
         $sht(auth_cache=>$var(user)) = $null;
     }
+
+    #!ifdef ANTIFLOOD-ROLE
+    route(ANTIFLOOD_RESET_AUTH);
+    #!endif
+
 }
 
 # vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab