There’s been some discussions in IRC about DoS attacks on Cloud-based FreePBX machines, and @drmessano mentioned that he uses rate limiting, which started me down the track of ‘How can I implement that?’
The idea behind this is that people don’t need to know how firewalls work to have a secure system. They should be able to turn this on, enable the defaults, and it will do all the work for you.
What I DON’T want to do is expose a lot of knobs and switches and stuff for people to twiddle. I want to get 90% of the features that 90% of the people want.
Rate limiting solves a DoS - a ‘Denial of Service’. That’s what’s known as a Layer 7 attack. If someone discovers that they can send a magic packet to Asterisk that causes it to use a bit of CPU for a bit of time, there’s nothing stopping them from sending a LOT of those magic packets to Asterisk, causing it to use ALL the CPU for ALL the time.
This does not address a DDOS. DDOS’s are a Layer 3 attack. They just fill the internet connection coming to your machine. There’s no finesse or skill involved, it’s just like pointing a firehose at a garden hose. It’s physically impossible to address that problem at your end of the link, it has to be addressed upstream. So don’t get confused and think that this is a magic bullet.
Anyway, this leads to me thinking that I will enable rate limiting by default. I’ll probably have some automatic scaling based on number of registered extensions and trunks, but I haven’t figured out what that should be yet. I want to to err on the side of ‘do not block incoming calls’, because the last thing you want is for you to start dropping calls because you suddenly get popular.
A rough seat-of-the-pants calculation and some tcpdump-ing gives me one SIP packet per 30 seconds per device. So I think I’m going to default to letting 10 SIP packets per 30 seconds per device through before it starts rate limiting them.
Anyone have any better suggestions?
Edit: To clarify - Once a device is registered, it will not be rate limited. This is only for unknown IP addresses trying to register or send SIP packets - for example, trunks that aren’t using REGISTER.