asterisk users - Feb 2005 - Recommendation for dialplan in case of DDoS atta cks?

I'm trying to formulate a strategy for our interconnected Asterisk IAX peers
to failover to the PSTN in the event of a DDoS. We currently use them like
this:

DID--->PRI--->Primary Asterisk--->IAX--->On-site Asterisk--->SIP

This works fine, and everyone is happy. One of my concerns, though, is if we
get DDoS'd - which happens probably once every couple of years. I'd like
to
have the dialplan failover to PSTN to shunt calls to the PSTN--->User's
cell
number in the case of a DDoS attack. 

My current thinking is K.I.S.S - just put the user's cell as the next step
in the dialplan. However, I'd like for this to be controllable - when things
are working OK, I don't want the calls being routed to the cells *at all*. I
also don't want to have an extensions.conf and an extensions_emergency.conf
and do the _emergency as an commented out include. I'd like for it to be
automatic i.e. Asterisk detects Internet latency is above a certain
threshold, then automagically does the cell thing. 

Any suggestions? I fooled around in Google for about a half hour on this,
and of course the Wiki was no help. TIA

Colin Anderson wrote:
> I'm trying to formulate a strategy for our interconnected Asterisk IAX
peers
> to failover to the PSTN in the event of a DDoS. We currently use them like
> this:
> 
> DID--->PRI--->Primary Asterisk--->IAX--->On-site
Asterisk--->SIP
> 
> This works fine, and everyone is happy. One of my concerns, though, is if
we
> get DDoS'd - which happens probably once every couple of years. I'd
like to
> have the dialplan failover to PSTN to shunt calls to the
PSTN--->User's cell
> number in the case of a DDoS attack. 
> 
> My current thinking is K.I.S.S - just put the user's cell as the next
step
> in the dialplan. However, I'd like for this to be controllable - when
things
> are working OK, I don't want the calls being routed to the cells *at
all*. I
> also don't want to have an extensions.conf and an
extensions_emergency.conf
> and do the _emergency as an commented out include. I'd like for it to
be
> automatic i.e. Asterisk detects Internet latency is above a certain
> threshold, then automagically does the cell thing. 
> 
> Any suggestions? I fooled around in Google for about a half hour on this,
> and of course the Wiki was no help. TIA
How about a combination of GotoIF, and app_dbodbc (or app_db):

exten => 700,1,playback(ddos-on)
exten => 700,2,DBput(DDOS/yes)

exten => 701,1,playback(ddos-off)
exten => 701,2,DBdel(DDOS/yes)

[mymainaa]
exten => s,1,DBGET(TRUE=DDOS/yes)
exten => s,2,Do this

exten =) s,102,do something else

Just a very lazy, simple example, but it should work.

--
Kristian Kielhofner

Primary * box detects DD0S -> runs:

asterisk -rx "database put PANIC DDOS YES"

and have your dialplan look for that database family/key being set to
determine which path it takes.

When the primary * box detects that the DD0S is over -> runs:

asterisk -rx "database del PANIC DDOS"


On Tue, 2005-03-01 at 06:40, Colin Anderson wrote:
> I'm trying to formulate a strategy for our interconnected Asterisk IAX
peers
> to failover to the PSTN in the event of a DDoS. We currently use them like
> this:
> 
> DID--->PRI--->Primary Asterisk--->IAX--->On-site
Asterisk--->SIP
> 
> This works fine, and everyone is happy. One of my concerns, though, is if
we
> get DDoS'd - which happens probably once every couple of years. I'd
like to
> have the dialplan failover to PSTN to shunt calls to the
PSTN--->User's cell
> number in the case of a DDoS attack. 
> 
> My current thinking is K.I.S.S - just put the user's cell as the next
step
> in the dialplan. However, I'd like for this to be controllable - when
things
> are working OK, I don't want the calls being routed to the cells *at
all*. I
> also don't want to have an extensions.conf and an
extensions_emergency.conf
> and do the _emergency as an commented out include. I'd like for it to
be
> automatic i.e. Asterisk detects Internet latency is above a certain
> threshold, then automagically does the cell thing. 
> 
> Any suggestions? I fooled around in Google for about a half hour on this,
> and of course the Wiki was no help. TIA
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
-- 
Howard.
LANNet Computing Associates;
Your Linux people <http://www.lannetlinux.com>
------------------------------------------
"When you just want a system that works, you choose Linux;
when you want a system that just works, you choose Microsoft."
------------------------------------------
"Flatter government, not fatter government;
Get rid of the Australian states."

>How about a combination of GotoIF, and app_dbodbc (or app_db):
>exten => 700,1,playback(ddos-on)
>exten => 700,2,DBput(DDOS/yes)
>exten => 701,1,playback(ddos-off)
>exten => 701,2,DBdel(DDOS/yes)
>[mymainaa]
>exten => s,1,DBGET(TRUE=DDOS/yes)
>exten => s,2,Do this
>exten =) s,102,do something else
My comment: Good suggestion, but requires user intervention. I'm lazy and I
want it to be totally transparent. I'm not avaliable most of the time and
training someone to do it is not reliable, even my MCSE monkey would have
trouble figuring out that we are being DoS'd (NOT my hire!)

-and-
>Primary * box detects DD0S -> runs:
>asterisk -rx "database put PANIC DDOS YES"
>and have your dialplan look for that database family/key being set to
>determine which path it takes.
>When the primary * box detects that the DD0S is over -> runs:
>asterisk -rx "database del PANIC DDOS"
My comment: Better suggestion, and looks to be workable. What would be a
good way to detect latency? A cron job that pings a known host with, say, 2K
of data and pipes it back to a shell script? If so, what kind of frequency
would be considered effective? Every 30 seconds, 1 minute?

>Are these inbound or outbound calls?  (both?) I am pretty confused 
>about all of this...
Sorry, I should have been more specific. The primary Asterisk box that
connects with the PRI is the one I am concerned about being DoS'd - the
remote IAX peer runs off of a cable modem with a dynamic IP, I have a script
that checks it's IP every so often (hopefully before the lease expires!) and
updates our DNS at the office accodingly, so we can address the remote host
as remotehost1@foo.com etc. Since it's dynamic, and it's on an ISP that
is
very proactive about DoS attacks, I'm not concerned about the remote host
getting hosed, only the primary. The remote host would be inbound and
outbound calls, but my users can live with outbound calls being kacked,
inbound they would scream blue murder if it didn't work (salespeople) 
>Isn't this what qualify=<latency> (ie: qualify=200) in your
iax/sip.conf
>files is for?
>If the latency exceeds 200ms, Asterisk will automatically disable the
>link, and you can easily use a fail-over method in your dialplan. I
>think something like isChanAvail() might work for that.
I was thinking the same thing too, but from what I have seen qualify=XXX is
not universally supported:

http://lists.digium.com/pipermail/asterisk-users/2005-January/082657.html

We might use an IAX softphone or an IAXy and qualify may or may not be
supported. Ideally, I'd like something that is as device / implementation
independent as possible.

Also, I believe isChanAvail() is boolean with no quality assurances it'd be
worse in my context to throw a call out there that has lots of drops than to
re-route the call to the PSTN, a lot of users in my organization are leery
of VoIP in general and crappy calls would give them ammo to spread FUD about
VoIP.