====== Service of subscriber protection ====== {{indexmenu_n>4}} Managing the service for a subscriber by using [[dpi:dpi_components:platform:subscriber_management:subsman_cmd|fdpi_ctrl]] utility. Command format: fdpi_ctrl --service 10 [list of options] [List_Of_IP or login] More about the command syntax and assigment of IP lists described in [[dpi:dpi_components:platform:subscriber_management:subsman_cmd|Management of policing and services]] **Examples:** Create a named profile and activate the DDoS protection service with the named profile for multiple subscribers fdpi_ctrl load profile --service 10 --profile.name test_protect --profile.json '{ "ddos_trace" : 1, "ddos_reqsec_threshold" : 100, "ddos_reqsec_variation" : 5, "ddos_pktsec_threshold" : 1000, "ddos_pktsec_variation" : 5, "ddos_check_server" : "captcha.server.ru/?", "ddos_security_key" : "123", "syncf_protection" : 0 , "syncf_trace" : 0 , "syncf_check_tmout" : 0 , "syncf_tracking_packs_time" : 0 , "syncf_unconfirmed_percent" : 0 , "syncf_threshold" : 0 }' fdpi_ctrl load --service 10 --profile.name test_protect --ip 192.168.0.1 fdpi_ctrl load --service 10 --profile.name test_protect --ip 192.168.0.2 here the profile service settings using the json format is set.\\ Service settings are described in the following secions:\\ * __[[dpi:dpi_options:opt_ddos:ddos_ddos:ddos_ddos_settings|ddos_trace, ddos_reqsec_threshold, ddos_reqsec_variation, ddos_pktsec_threshold, ddos_pktsec_variation, ddos_check_server, ddos_security_key]]__ * __[[dpi:dpi_options:opt_ddos:ddos_dos:ddos_dos_synflood|syncf_protection, syncf_trace, syncf_check_tmout, syncf_tracking_packs_time, syncf_unconfirmed_percent, syncf_threshold]]__ In the profile you can provide only part of the parameters, for example, only the parameters for the ddos protection, while syn flood protection is disabled. The unspecified parameters will be set by defaults. Search for the subscribers with activated notification service with the specified named profile fdpi_ctrl list all --service 10 --profile.name test_protect Delete a named profile (The named profile has no subscribers using it to delete) fdpi_ctrl del profile --service 10 --profile.name test_protect Change the service (profile) settings (new settings will be applied to all the subscribers with the named profile) fdpi_ctrl load profile --service 10 --profile.name test_protect --profile.json '{ "ddos_reqsec_threshold" : 0, "ddos_reqsec_variation" : 5, "ddos_pktsec_threshold" : 0, "ddos_pktsec_variation" : 5, "syncf_protection" : 1 , "syncf_trace" : 1 , "syncf_check_tmout" : 500 , "syncf_tracking_packs_time" : 180 , "syncf_unconfirmed_percent" : 25 , "syncf_threshold" : 100 }' Output the list of created profiles and their settings for corresponding service fdpi_ctrl list all profile --service 10 Disable the protection for a specific subscriber: fdpi_ctrl del --service 10 --ip 192.168.0.1 Check the DDoS protection status fdpi_ctrl list status --service 10 --ip 192.168.0.1 Output: 192.168.0.1 synf=0 ddos=1 synf=0 syn-flood protection is not active\\ ddos=1 ddos protection is active The maximum number of ddos protection profiles is set by the following option in the /etc/dpi/fastdpi.conf max_profiles_ddos=32 here 32 is the default value, 65535 is the maximum value The ''max_profiles_ddos'' is cold parameter, so the service needs to be restarted whenever the option is changed.