diff --git a/tester/flexisip/flexisip.conf b/tester/flexisip/flexisip.conf index 96ac77cc4..be06bbf89 100755 --- a/tester/flexisip/flexisip.conf +++ b/tester/flexisip/flexisip.conf @@ -60,31 +60,35 @@ bind-address=0.0.0.0 # Default value: 3478 port=3478 + ## -## DOS protection parameters. +## This module bans user when they are sending too much packets on +## a given timelapse ## -[dos-protection] -# Enable or disable DOS protection using IPTables firewall. -# Default value: false -enabled=false +[module::DoS] +# Indicate whether the module is activated. +# Default value: true +enabled=true -# List of whitelist IPs which won't be affected by DOS protection. -# Default value: 127.0.0.1 -authorized-ip=127.0.0.1 +# A request/response enters module if the boolean filter evaluates +# to true. Ex: from.uri.domain contains 'sip.linphone.org', from.uri.domain +# in 'a.org b.org c.org', (to.uri.domain in 'a.org b.org c.org') +# && (user-agent == 'Linphone v2') +# Default value: +filter= -# Local ports to protect. -# Default value: 5060 -port=5060 +# Number of milliseconds to calculate the packet rate +# Default value: 1000 +time-period=1000 -# Time (in seconds) while an IP have to not send any packet in order -# to leave the blacklist. -# Default value: 60 -ban-duration=60 +# Maximum packet rate received in [time-period] millisecond(s) to +# consider to consider it a DoS attack. +# Default value: 5 +packet-rate-limit=5 -# Number of packets authorized in 1sec before considering them as -# DOS attack. -# Default value: 20 -packets-limit=20 +# Number of minutes to ban the ip/port using iptables +# Default value: 1 +ban-time=1 ## @@ -273,10 +277,6 @@ fork-late=true call-fork-timeout=20 -# Only forward one response of forked invite to the caller -# Default value: true -fork-one-response=true - # All the forked have to decline in order to decline the caller # invite # Default value: false @@ -544,3 +544,5 @@ filter= # Default value: collector-address=sip:collector@sip.example.org + + diff --git a/tester/flexisip_tester.c b/tester/flexisip_tester.c index a5e0f3803..d32740440 100644 --- a/tester/flexisip_tester.c +++ b/tester/flexisip_tester.c @@ -858,6 +858,43 @@ static void file_transfer_message_external_body_to_rcs_client(void) { linphone_core_manager_destroy(pauline); } +static void dos_module_trigger(void) { + char *to; + LinphoneChatRoom *chat_room; + int i = 0; + int number_of_messge_to_send = 100; + LinphoneCoreManager* marie = linphone_core_manager_new("marie_rc"); + LinphoneCoreManager* pauline = linphone_core_manager_new("pauline_rc"); + + reset_counters(&marie->stat); + reset_counters(&pauline->stat); + + to = linphone_address_as_string(marie->identity); + chat_room = linphone_core_create_chat_room(pauline->lc,to); + + do { + char msg[128]; + sprintf(msg, "Flood message number %i", i); + linphone_chat_room_send_message(chat_room, msg); + ms_usleep(100000); + i++; + } while (i < number_of_messge_to_send); + // At this point we should be banned for a minute + + ms_usleep(90000000); // Wait 90 seconds to ensure we are not banned anymore + CU_ASSERT_TRUE(marie->stat.number_of_LinphoneMessageReceived < number_of_messge_to_send); + + reset_counters(&marie->stat); + reset_counters(&pauline->stat); + + linphone_chat_room_send_message(chat_room, "This one should pass through"); + CU_ASSERT_TRUE(wait_for(pauline->lc,marie->lc,&marie->stat.number_of_LinphoneMessageReceived, 1)); + + linphone_core_manager_destroy(marie); + linphone_core_manager_destroy(pauline); + ms_free(to); +} + test_t flexisip_tests[] = { { "Subscribe forking", subscribe_forking }, { "Message forking", message_forking }, @@ -877,7 +914,8 @@ test_t flexisip_tests[] = { { "Call with ipv6", call_with_ipv6 }, { "File transfer message rcs to external body client", file_transfer_message_rcs_to_external_body_client }, { "File transfer message external body to rcs client", file_transfer_message_external_body_to_rcs_client }, - { "File transfer message external body to external body client", file_transfer_message_external_body_to_external_body_client } + { "File transfer message external body to external body client", file_transfer_message_external_body_to_external_body_client }, + { "DoS module trigger by sending a lot of chat messages", dos_module_trigger } };