====== Service of subscriber protection ======
{{indexmenu_n>4}}
Managing the service for a subscriber by using [[dpi:dpi_components:platform:subscriber_management:subsman_cmd|fdpi_ctrl]] utility.
Command format:
fdpi_ctrl --service 10 [list of options] [List_Of_IP or login]
More about the command syntax and assigment of IP lists described in [[dpi:dpi_components:platform:subscriber_management:subsman_cmd|Management of policing and services]]
**Examples:**
Create a named profile and activate the DDoS protection service with the named profile for multiple subscribers
fdpi_ctrl load profile --service 10 --profile.name test_protect --profile.json '{ "ddos_trace" : 1, "ddos_reqsec_threshold" : 100, "ddos_reqsec_variation" : 5, "ddos_pktsec_threshold" : 1000, "ddos_pktsec_variation" : 5, "ddos_check_server" : "captcha.server.ru/?", "ddos_security_key" : "123", "syncf_protection" : 0 , "syncf_trace" : 0 , "syncf_check_tmout" : 0 , "syncf_tracking_packs_time" : 0 , "syncf_unconfirmed_percent" : 0 , "syncf_threshold" : 0 }'
fdpi_ctrl load --service 10 --profile.name test_protect --ip 192.168.0.1
fdpi_ctrl load --service 10 --profile.name test_protect --ip 192.168.0.2
here the profile service settings using the json format is set.\\
Service settings are described in the following secions:\\
* __[[dpi:dpi_options:opt_ddos:ddos_ddos:ddos_ddos_settings|ddos_trace, ddos_reqsec_threshold, ddos_reqsec_variation, ddos_pktsec_threshold, ddos_pktsec_variation, ddos_check_server, ddos_security_key]]__
* __[[dpi:dpi_options:opt_ddos:ddos_dos:ddos_dos_synflood|syncf_protection, syncf_trace, syncf_check_tmout, syncf_tracking_packs_time, syncf_unconfirmed_percent, syncf_threshold]]__
In the profile you can provide only part of the parameters, for example, only the parameters for the ddos protection, while syn flood protection is disabled. The unspecified parameters will be set by defaults.
Search for the subscribers with activated notification service with the specified named profile
fdpi_ctrl list all --service 10 --profile.name test_protect
Delete a named profile (The named profile has no subscribers using it to delete)
fdpi_ctrl del profile --service 10 --profile.name test_protect
Change the service (profile) settings (new settings will be applied to all the subscribers with the named profile)
fdpi_ctrl load profile --service 10 --profile.name test_protect --profile.json '{ "ddos_reqsec_threshold" : 0, "ddos_reqsec_variation" : 5, "ddos_pktsec_threshold" : 0, "ddos_pktsec_variation" : 5, "syncf_protection" : 1 , "syncf_trace" : 1 , "syncf_check_tmout" : 500 , "syncf_tracking_packs_time" : 180 , "syncf_unconfirmed_percent" : 25 , "syncf_threshold" : 100 }'
Output the list of created profiles and their settings for corresponding service
fdpi_ctrl list all profile --service 10
Disable the protection for a specific subscriber:
fdpi_ctrl del --service 10 --ip 192.168.0.1
Check the DDoS protection status
fdpi_ctrl list status --service 10 --ip 192.168.0.1
Output:
192.168.0.1 synf=0 ddos=1
synf=0 syn-flood protection is not active\\
ddos=1 ddos protection is active
The maximum number of ddos protection profiles is set by the following option in the /etc/dpi/fastdpi.conf
max_profiles_ddos=32
here 32 is the default value, 65535 is the maximum value
The ''max_profiles_ddos'' is cold parameter, so the service needs to be restarted whenever the option is changed.