Service of subscriber protection [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show pagesource
  • Old revisions
  • Export to PDF
  • Backlinks
  • Show pagesource
  • Old revisions
  • Export to PDF
  • Backlinks
    • Stingray Service Gateway by VAS ExpertsDPIProtection against DoS and DDoS attacksService of subscriber protection

    Service of subscriber protection

    Managing the service for a subscriber by using fdpi_ctrl utility.

    Command format: 

    fdpi_ctrl <command_type> --service 10 [list of options] [List_Of_IP or login]

    More about the command syntax and assigment of IP lists described in Management of policing and services

    Examples:

    Create a named profile and activate the DDoS protection service with the named profile for multiple subscribers 

    fdpi_ctrl load profile --service 10  --profile.name test_protect --profile.json '{ "ddos_trace" : 1, "ddos_reqsec_threshold" : 100, "ddos_reqsec_variation" : 5, "ddos_pktsec_threshold" : 1000, "ddos_pktsec_variation" : 5, "ddos_check_server" : "captcha.server.ru/?", "ddos_security_key" : "123", "syncf_protection" : 0 , "syncf_trace" : 0 , "syncf_check_tmout" : 0 , "syncf_tracking_packs_time" : 0 , "syncf_unconfirmed_percent" : 0 , "syncf_threshold" : 0  }'
fdpi_ctrl load --service 10 --profile.name test_protect --ip 192.168.0.1
fdpi_ctrl load --service 10 --profile.name test_protect --ip 192.168.0.2

    here the profile service settings using the json format is set.
    Service settings are described in the following secions:

    In the profile you can provide only part of the parameters, for example, only the parameters for the ddos protection, while syn flood protection is disabled. The unspecified parameters will be set by defaults.

    Search for the subscribers with activated notification service with the specified named profile 

    fdpi_ctrl list all --service 10 --profile.name test_protect

    Delete a named profile (The named profile has no subscribers using it to delete) 

    fdpi_ctrl del profile --service 10  --profile.name test_protect

    Change the service (profile) settings (new settings will be applied to all the subscribers with the named profile) 

    fdpi_ctrl load profile --service 10  --profile.name test_protect --profile.json '{ "ddos_reqsec_threshold" : 0, "ddos_reqsec_variation" : 5, "ddos_pktsec_threshold" : 0, "ddos_pktsec_variation" : 5, "syncf_protection" : 1 , "syncf_trace" : 1 , "syncf_check_tmout" : 500 , "syncf_tracking_packs_time" : 180 , "syncf_unconfirmed_percent" : 25 , "syncf_threshold" : 100  }'

    Output the list of created profiles and their settings for corresponding service 

    fdpi_ctrl list all profile --service 10

    Disable the protection for a specific subscriber: 

    fdpi_ctrl del --service 10 --ip 192.168.0.1

    Check the DDoS protection status 

    fdpi_ctrl list status --service 10 --ip 192.168.0.1
Output:
192.168.0.1   synf=0  ddos=1

    synf=0 syn-flood protection is not active
    ddos=1 ddos protection is active

    The maximum number of ddos protection profiles is set by the following option in the /etc/dpi/fastdpi.conf 

    max_profiles_ddos=32

    here 32 is the default value, 65535 is the maximum value The max_profiles_ddos is cold parameter, so the service needs to be restarted whenever the option is changed.