Table of Contents
db_url (string)use_local_time (integer)table_name (string)rid_col (string)pid_col (string)prefix_col (string)start_h (string)end_h (string)days_col (string)cpm_thresh_warn_col (string)cpm_thresh_crit_col (string)calldur_thresh_warn_col (string)calldur_thresh_crit_col (string)totalc_thresh_warn_col (string)totalc_thresh_crit_col (string)concalls_thresh_warn_col (string)concalls_thresh_crit_col (string)seqcalls_thresh_warn_col (string)seqcalls_thresh_crit_col (string)List of Tables
List of Examples
This module provides a way to prevent some basic fraud attacks. Alerts are provided through return codes and events.
Basically, this module watches the following parameters:
Total calls
Calls per minute
Concurrent calls
Number of sequential calls
Call duration
Each of the above parameters is monitored for every user and every called prefix separately. The stats are altered whenever the check_fraud function is called. The function assumes a new call is made, and checks the called number against all the rules from the supplied profile. The rule's prefix is considered to be the called prefix which along with the provided user will be used to monitor values for the 5 parameters.
A rule is a set of two thresholds (warning and critical thresholds) for each of the five parameters (as described above) and is only available for a specified prefix. Further more, a rule will only match between the indicated hours in the indicated days of the week (similarly to a dr rule). A fraud profile is simply a group of fraud rules and is used to only to limit the list of rules to match when calling the check_fraud function.
Database where to load the rules from.
Default value is “NULL”. At least one db_url should be defined for the fraud_detection module to work.
Example 1.1. Set the “db_url” parameter
...
modparam("fraud_detection", "db_url", "mysql://user:passwb@localhost/database")
...
Set this parameter to non-zero in order to enable local time-based interval matching and statistics resets, rather than UTC-based.
The default value is “0” (use UTC time).
Example 1.2. Set the “use_local_time” parameter
...
modparam("fraud_detection", "use_local_time", 1)
...
If you want to load the rules from the database you must set this parameter as the database name.
The default value is “fraud_detection”.
Example 1.3. Set the “table_name” parameter
...
modparam("fraud_detection", "table_name", "my_fraud")
...
The column's name in the database storing the fraud rule's id.
Default value is “ruleid”.
The column's name in the database storing the fraud profile's id.
Please keep in mind that a profile is merely a set of rules.
Default value is “profileid”.
The column's name in the database storing the prefix for which the fraud rule will match.
Default value is “prefix”.
Example 1.6. Set “prefix_col” parameter
...
modparam("fraud_detection", "prefix_col", "myprefix")
...
The column's name in the database storing the the start time of the interval in which the rule will match.
The time needs to be specified as string using the format: “HH:MM”
Default value is “start_hour”.
Example 1.7. Set “start_h” parameter
...
modparam("fraud_detection", "start_h", "the_start_time")
...
The column's name in the database storing the the end time of the interval in which the rule will match.
The time needs to be specified as string using the format: “HH:MM”
Default value is “end_hour”.
The column's name in the database storing the week days in which the fraud rule's interval is available.
The daysoftheweek needs to be specified as a string containing a list of days or intervals. Each day must be specified using the first three letters of its name. A valid string would be: "Fri-Mon, Wed, Thu"
Default value is “daysoftheweek”.
The column's name in the database storing the warning threshold value for calls per minute.
Default value is “cpm_warning”.
Example 1.10. Set “cpm_thresh_warn_col” parameter
...
modparam("fraud_detection", "cpm_thresh_warn_col", "cpm_warn_thresh")
...
The column's name in the database storing the critical threshold value for calls per minute.
Default value is “cpm_critical”.
Example 1.11. Set “cpm_thresh_crit_col” parameter
...
modparam("fraud_detection", "cpm_thresh_crit_col", "cpm_crit_thresh")
...
The column's name in the database storing the warning threshold value for call duration.
Default value is “call_duration_warning”.
Example 1.12. Set “calldur_thresh_warn_col” parameter
...
modparam("fraud_detection", "calldur_thresh_warn_col", "calldur_warn_thresh")
...
The column's name in the database storing the critical threshold value for call duration.
Default value is “call_duration_critical”.
Example 1.13. Set “calldur_thresh_crit_col” parameter
...
modparam("fraud_detection", "calldur_thresh_crit_col", "calldur_crit_thresh")
...
The column's name in the database storing the warning threshold value for the number of total calls.
Default value is “total_calls_warning”.
Example 1.14. Set “totalc_thresh_warn_col” parameter
...
modparam("fraud_detection", "totalc_thresh_warn_col", "totalc_warn_thresh")
...
The column's name in the database storing the critical threshold value for the number of total calls.
Default value is “total_calls_critical”.
Example 1.15. Set “totalc_thresh_crit_col” parameter
...
modparam("fraud_detection", "totalc_thresh_crit_col", "totalc_crit_thresh")
...
The column's name in the database storing the warning threshold value for the number of concurrent calls.
Default value is “concurrent_calls_warning”.
Example 1.16. Set “concalls_thresh_warn_col” parameter
...
modparam("fraud_detection", "concalls_thresh_warn_col", "concalls_warn_thresh")
...
The column's name in the database storing the critical threshold value for the number of concurrent calls.
Default value is “concurrent_calls_critical”.
Example 1.17. Set “concalls_thresh_crit_col” parameter
...
modparam("fraud_detection", "concalls_thresh_crit_col", "concalls_crit_thresh")
...
The column's name in the database storing the warning threshold value for the number of sequential calls.
Default value is “sequential_calls_warning”.
Example 1.18. Set “seqcalls_thresh_warn_col” parameter
...
modparam("fraud_detection", "seqcalls_thresh_warn_col", "seqcalls_warn_thresh")
...
This method should be called each time a given user calls a given number. It will try to match a fraud rule within de given fraud profile and update the stats (see above). Furthermore, the stats will be checked against the rule's thresholds. If any of the stats is above it's threhsold value the appropriate event will also be raised (see further details below).
Meaning of the parameters is as follows:
user - the user who is making the call. Please keep in mind that the user doesn't have to be registered. This string is only used do keep different stats for different registered users.
number - the number the user is calling to.
profile_id - the fraud profile id (i.e. the subset of fraud rules) in which to try and find a matching fraud rule.
The meaning of the return code is as follows:
2 - no matching fraud rule was found
1 - a matching rule was found, but there is no parameter above the rule's threshlod, i.e - everything is ok
-1 - there is a parameter above the warning threhsold value. Check the raised event for more info
-2 - there is a parameter above the critical threhsold value. Check the raised event for more info
-3 - something went wrong (internal mechanism failed)
This function can be used from REQUEST_ROUTE and ONREPLY_ROUTE.
Show the current statistics for a user to a given prefix and fraud profile.
Name: show_fraud_stats
Parameters:
user
prefix
fraud_profile
This event is raised whenever one of the 5 monitored parameters is above the warning threhsold value
Parameters:
param - the name of the parameter.
value - the current value of the parameter.
threshold - the warning threshold value.
user - the user who initiated the call.
called_number - the number that was called.
rule_id - the id of the fraud rule that matched when the call was initiated
This event is raised whenever one of the 5 monitored parameters is above the warning threhsold value
Parameters:
param - the name of the parameter.
value - the current value of the parameter.
threshold - the warning threshold value.
user - the user who initiated the call.
called_number - the number that was called.
rule_id - the id of the fraud rule that matched when the call was initiated
Table 2.1. Top contributors by DevScore(1), authored commits(2) and lines added/removed(3)
| Name | DevScore | Commits | Lines ++ | Lines -- | |
|---|---|---|---|---|---|
| 1. | Andrei Datcu (@andrei-datcu) | 37 | 11 | 2665 | 235 |
| 2. | Liviu Chircu (@liviuchircu) | 18 | 15 | 102 | 75 |
| 3. | Bogdan-Andrei Iancu (@bogdan-iancu) | 7 | 5 | 19 | 31 |
| 4. | Razvan Crainea (@razvancrainea) | 4 | 2 | 10 | 9 |
| 5. | Ionut Ionita (@ionutrazvanionita) | 3 | 1 | 21 | 6 |
(1) DevScore = author_commits + author_lines_added / (project_lines_added / project_commits) + author_lines_deleted / (project_lines_deleted / project_commits)
(2) including any documentation-related commits, excluding merge commits. Regarding imported patches/code, we do our best to count the work on behalf of the proper owner, as per the "fix_authors" and "mod_renames" arrays in opensips/doc/build-contrib.sh. If you identify any patches/commits which do not get properly attributed to you, please submit a pull request which extends "fix_authors" and/or "mod_renames".
(3) ignoring whitespace edits, renamed files and auto-generated files
Table 2.2. Most recently active contributors(1) to this module
| Name | Commit Activity | |
|---|---|---|
| 1. | Bogdan-Andrei Iancu (@bogdan-iancu) | Oct 2014 - Jun 2018 |
| 2. | Liviu Chircu (@liviuchircu) | Mar 2015 - Jun 2018 |
| 3. | Ionut Ionita (@ionutrazvanionita) | Jan 2016 - Jan 2016 |
| 4. | Razvan Crainea (@razvancrainea) | Feb 2015 - Aug 2015 |
| 5. | Andrei Datcu (@andrei-datcu) | Aug 2014 - Sep 2014 |
(1) including any documentation-related commits, excluding merge commits
Last edited by: Bogdan-Andrei Iancu (@bogdan-iancu), Liviu Chircu (@liviuchircu), Andrei Datcu (@andrei-datcu).
doc copyrights:
Copyright © 2014 www.opensips-solutions.com