Self-hosted LiveKit + livekit/sip. Single SIP carrier, one source IP.
Rapid back-to-back legitimate inbound calls get AuthDrop’d ~85% of the time with status:486 reason:“flood”.
Already verified:
- Trunk allowed_addresses = carrier IP (confirmed via lk CLI)
- Network firewall restricts :5060 to carrier IP only (zero scanners reach the daemon)
- livekit-sip sees the carrier IP directly as fromIP (no NAT/loopback)
- Reproduces identically on 3 topologies: K8s+LB, Kamailio frontend, bare VM with strict firewall — same ~85% flood rate
- Trunk digest auth not available (carrier portal: static-address inbound only)
Flood log has NO sipTrunk in the close event, so it’s auth-handler-level, not dispatch-level. Successful calls do show sipTrunk and run cleanly end-to-end — so the trunk config is fine, only the rate gate trips.
Questions:
- Any config / env var / RPC / trunk field to relax the per-source-IP rate gate?
- Where in livekit-server source does the AuthDrop logic live? (open source or cloud-only?)
- Recommended pattern for self-hosted with one high-call-rate carrier IP — FreeSWITCH bridge, multiple sip nodes, or LK Cloud?