Over the past few weeks we have observed DDoS type attacks on 4
different data centres across Canada, United States, Germany and France
where we have dedicated servers hosted.
We have not experienced a situation where **ALL** the data centres were
affected the same day.
Our VoIP services redundancy at the DNS and DNS/SRV level kicks in
immediately to avoid downtime for clients, when a DDoS affects the
network traffic to/from our servers.
Fortunately we have not been the targets and it upsets any business
owner if one of their servers are affected (regardless of the level of
redundancy)
The origination of these DDoS attacks were from Amazon clouds.
Even though the attacks were not targeted towards our servers, it has
impacted us along with all the hundreds of servers connected at the data
centres, which are shared on the same core switch.
These DDoS attacks that we have witnessed at the data centres lasts for
*factors* of 5 minutes, and are **CLOCK WORK**.
Between 8:00 and 8:30 PM Toronto Local Time - specifically on Thursdays
& Fridays.
The network team at the data centres (my hats off to them) had
identified the targeted server, null routed them and problems solved.
At one point, I've been advised that the targeted server(s) were being
pounded with 8 Gbps of attacks.
So this naturally gets me more curious.
The common denominator of these DDoS type attacks appear to be "high
bandwidth" usage.
It disrupts services on not only the "victim" but everyone close by.
The data centres are using closed source proprietary products such as
PeakFlow from Arbor Networks.
We monitor our activity and do analysis with a bunch of open source
software.
These are mainly products for network monitoring (ntop and
miscellaneous), old school packet captures, peak flow traffic, and so on
and so on.
Wireshark, Etherreal, pcap, ntop etc etc etc network analysis tools are
great.
They require an intelligent person behind the keyboard for the
"analysis" **after** an issue as been identified.
*Would like to ask the community here for input on: *
- Open Source type product for possible DDoS type detection (that does
basic analysis for you & identifies peak traffic flow *real time*)
- UDP level - SIP flooding type DDoS attack detection (open and closed
source)
- Pattern Matching / Fake SIP registration detection at the "packet
level" - before it hits Asterisk process.
Ultimately I'm looking for a tool (preferably open source) that alerts
an operator with basic computer skills of abnormal behaviour.
/*
*//*Thanks and regards,*//*
*//*Reza.*/
--
--
FOUNDER & SR. TELECOM ANALYST
VOIPERNETICS COMMUNICATIONS
NATION WIDE DIDS, SIP TRUNKS & VOIP 911.
PARTIAL / FULL VIRTUAL PRI - NO CONTRACTS!
HOSTED PBX & TERMINATION SERVICES.
TEL: 647-476-2067
