Re: EXTERNAL: Re: VoIP Provider DDoSes
For those persons with voip.ms accounts, the DDoS-protected servers are in their control panel with a green checkmark next to them as recommended servers. Now it looks like part of the DDoS has shifted to bandwidth.com. On Mon, Sep 27, 2021 at 4:40 PM Mike Hammett wrote: > It seems like Cloudflare can do something now too because VoIP.MS is now > routed through Cloudflare for their new servers. > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > -- > *From: *"Ray Orsini" > *To: *"Mike Hammett" , "NANOG" > *Sent: *Wednesday, September 22, 2021 8:15:51 AM > *Subject: *Re: EXTERNAL: Re: VoIP Provider DDoSes > > Yes there are. I was about to message Steve about the correction. Corero > and path.net are options. There are others. > [image: OIT Website] <https://www.oit.co/> > Ray Orsini > Chief Executive Officer > OIT, LLC > *305.967.6756 x1009* <305.967.6756%20x1009> | *305.571.6272* > *r...@oit.co* | [image: https://www.oit.co] > <https://www.oit.co/> * www.oit.co* <https://www.oit.co/> > oit.co/ray > [image: Facebook] <https://go.oit.co/facebook> > [image: LinkedIn] <https://go.oit.co/linkedin> > [image: Twitter] <https://go.oit.co/twitter> > [image: YouTube] <https://go.oit.co/youtube> > > *How are we doing? We'd love to hear your feedback. https://go.oit.co/review* > <https://go.oit.co/review> > -- > *From:* NANOG on behalf of Mike > Hammett > *Sent:* Wednesday, September 22, 2021 9:08:22 AM > *To:* NANOG > *Subject:* EXTERNAL: Re: VoIP Provider DDoSes > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. If you are unsure, please forward this email to the > CSE team for review. > > https://twit.tv/shows/security-now/episodes/837?autostart=false > > > It looks like Security Now covered this yesterday. They claimed that, > "There is currently no provider of large pipe VoIP protocol DDoS > protection." > > Are any of the cloud DDoS mitigation services offering a service like this. > > -- > *From: *"Mike Hammett" > *To: *"NANOG" > *Sent: *Tuesday, September 21, 2021 4:19:42 PM > *Subject: *VoIP Provider DDoSes > > As many may know, a particular VoIP supplier is suffering a DDoS. > https://twitter.com/voipms > > Are your garden variety DDoS mitigation platforms or services equipped to > handle DDoSes of VoIP services? What nuances does one have to be cognizant > of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > >
Re: EXTERNAL: Re: VoIP Provider DDoSes
It seems like Cloudflare can do something now too because VoIP.MS is now routed through Cloudflare for their new servers. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Ray Orsini" To: "Mike Hammett" , "NANOG" Sent: Wednesday, September 22, 2021 8:15:51 AM Subject: Re: EXTERNAL: Re: VoIP Provider DDoSes Yes there are. I was about to message Steve about the correction. Corero and path.net are options. There are others. OIT Website Ray Orsini Chief Executive Officer OIT, LLC 305.967.6756 x1009 | 305.571.6272 r...@oit.co | https://www.oit.co www.oit.co oit.co/ray FacebookLinkedInTwitter YouTube How are we doing? We'd love to hear your feedback. https://go.oit.co/review From: NANOG on behalf of Mike Hammett Sent: Wednesday, September 22, 2021 9:08:22 AM To: NANOG Subject: EXTERNAL: Re: VoIP Provider DDoSes CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you are unsure, please forward this email to the CSE team for review. https://twit.tv/shows/security-now/episodes/837?autostart=false It looks like Security Now covered this yesterday. They claimed that, "There is currently no provider of large pipe VoIP protocol DDoS protection." Are any of the cloud DDoS mitigation services offering a service like this. From: "Mike Hammett" To: "NANOG" Sent: Tuesday, September 21, 2021 4:19:42 PM Subject: VoIP Provider DDoSes As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com
Re: [EXTERNAL] Re: VoIP Provider DDoSes
The problem with this approach, and with scrubbing centers more generally, is that while the cure might be better than the disease it doesn't result in usable VOIP. Voice customers don't care if things are _better_ but their MOS scores are still below 2. Scott Helms On Wed, Sep 22, 2021 at 11:58 AM Compton, Rich A wrote: > FYI, UTRS (Unwanted Traffic Removal Service > https://team-cymru.com/community-services/utrs/) from Team Cymru is a > free service where you can send a blackhole advertisement (sacrificing the > one IP that’s under attack to save the rest of the network) and they will > propagate that via BGP to hundreds of other ASNs which will then blackhole > traffic to that IP. This can drastically reduce the amount of DDoS traffic > that is received by the victim network. > > > > -Rich > > > > *From: *NANOG on > behalf of Mike Hammett > *Date: *Wednesday, September 22, 2021 at 9:29 AM > *To: *Terrance Devor > *Cc: *NANOG list > *Subject: *[EXTERNAL] Re: VoIP Provider DDoSes > > > > *CAUTION:* The e-mail below is from an external source. Please exercise > caution before opening attachments, clicking links, or following guidance. > > Fail2Ban on a couple of dozen servers may not be sufficient to address 400 > gigs of traffic. > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > > -- > > *From: *"Terrance Devor" > *To: *"Mike Hammett" > *Cc: *"NANOG" > *Sent: *Wednesday, September 22, 2021 10:24:07 AM > *Subject: *Re: VoIP Provider DDoSes > > Fail2Ban and give ourselves a pat on the back.. > > > > On Wed, Sep 22, 2021 at 9:12 AM Mike Hammett wrote: > > https://twit.tv/shows/security-now/episodes/837?autostart=false > > > > > > It looks like Security Now covered this yesterday. They claimed that, > "There is currently no provider of large pipe VoIP protocol DDoS > protection." > > > > Are any of the cloud DDoS mitigation services offering a service like this. > -- > > *From: *"Mike Hammett" > *To: *"NANOG" > *Sent: *Tuesday, September 21, 2021 4:19:42 PM > *Subject: *VoIP Provider DDoSes > > As many may know, a particular VoIP supplier is suffering a DDoS. > https://twitter.com/voipms > > > > Are your garden variety DDoS mitigation platforms or services equipped to > handle DDoSes of VoIP services? What nuances does one have to be cognizant > of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. > > > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > > > > The contents of this e-mail message and > any attachments are intended solely for the > addressee(s) and may contain confidential > and/or legally privileged information. If you > are not the intended recipient of this message > or if this message has been addressed to you > in error, please immediately alert the sender > by reply e-mail and then delete this message > and any attachments. If you are not the > intended recipient, you are notified that > any use, dissemination, distribution, copying, > or storage of this message or any attachment > is strictly prohibited. >
Re: VoIP Provider DDoSes
On Wed, Sep 22, 2021 at 11:27 AM Mike Hammett wrote: > Fail2Ban on a couple of dozen servers may not be sufficient to address 400 > gigs of traffic. > > Also, also.. keep in mind that 'fail2ban' does some processing on the log messages to which it MAY take action. It's taking, essentially, untrusted external input and ... acting as 'root'. that sounds like a recipe for a disaster, to me... is the code utf-8 safe? are the actions it takes safe in the context of whatever PTR record content may come down the pipe? or apache(equivalent) log message parsing? > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > -- > *From: *"Terrance Devor" > *To: *"Mike Hammett" > *Cc: *"NANOG" > *Sent: *Wednesday, September 22, 2021 10:24:07 AM > *Subject: *Re: VoIP Provider DDoSes > > Fail2Ban and give ourselves a pat on the back.. > > On Wed, Sep 22, 2021 at 9:12 AM Mike Hammett wrote: > >> https://twit.tv/shows/security-now/episodes/837?autostart=false >> >> >> It looks like Security Now covered this yesterday. They claimed that, >> "There is currently no provider of large pipe VoIP protocol DDoS >> protection." >> >> Are any of the cloud DDoS mitigation services offering a service like >> this. >> >> -- >> *From: *"Mike Hammett" >> *To: *"NANOG" >> *Sent: *Tuesday, September 21, 2021 4:19:42 PM >> *Subject: *VoIP Provider DDoSes >> >> As many may know, a particular VoIP supplier is suffering a DDoS. >> https://twitter.com/voipms >> >> Are your garden variety DDoS mitigation platforms or services equipped to >> handle DDoSes of VoIP services? What nuances does one have to be cognizant >> of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> Midwest-IX >> http://www.midwest-ix.com >> >> >
Re: EXTERNAL: Re: VoIP Provider DDoSes
I'm going to be reaching out to both of the organizations you listed, but I don't see any of their documentation mentioning SIP, RTP, or any of the "normal" VOIP protocols or use cases. Scott Helms On Wed, Sep 22, 2021 at 9:18 AM Ray Orsini wrote: > Yes there are. I was about to message Steve about the correction. Corero > and path.net are options. There are others. > [image: OIT Website] <https://www.oit.co/> > Ray Orsini > Chief Executive Officer > OIT, LLC > *305.967.6756 x1009* <305.967.6756%20x1009> | *305.571.6272* > *r...@oit.co* | [image: https://www.oit.co] > <https://www.oit.co/> * www.oit.co* <https://www.oit.co/> > oit.co/ray > [image: Facebook] <https://go.oit.co/facebook> > [image: LinkedIn] <https://go.oit.co/linkedin> > [image: Twitter] <https://go.oit.co/twitter> > [image: YouTube] <https://go.oit.co/youtube> > > *How are we doing? We'd love to hear your feedback. https://go.oit.co/review* > <https://go.oit.co/review> > -- > *From:* NANOG on behalf of Mike > Hammett > *Sent:* Wednesday, September 22, 2021 9:08:22 AM > *To:* NANOG > *Subject:* EXTERNAL: Re: VoIP Provider DDoSes > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. If you are unsure, please forward this email to the > CSE team for review. > > https://twit.tv/shows/security-now/episodes/837?autostart=false > > > It looks like Security Now covered this yesterday. They claimed that, > "There is currently no provider of large pipe VoIP protocol DDoS > protection." > > Are any of the cloud DDoS mitigation services offering a service like this. > > -- > *From: *"Mike Hammett" > *To: *"NANOG" > *Sent: *Tuesday, September 21, 2021 4:19:42 PM > *Subject: *VoIP Provider DDoSes > > As many may know, a particular VoIP supplier is suffering a DDoS. > https://twitter.com/voipms > > Are your garden variety DDoS mitigation platforms or services equipped to > handle DDoSes of VoIP services? What nuances does one have to be cognizant > of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > >
Re: [EXTERNAL] Re: VoIP Provider DDoSes
FYI, UTRS (Unwanted Traffic Removal Service https://team-cymru.com/community-services/utrs/) from Team Cymru is a free service where you can send a blackhole advertisement (sacrificing the one IP that’s under attack to save the rest of the network) and they will propagate that via BGP to hundreds of other ASNs which will then blackhole traffic to that IP. This can drastically reduce the amount of DDoS traffic that is received by the victim network. -Rich From: NANOG on behalf of Mike Hammett Date: Wednesday, September 22, 2021 at 9:29 AM To: Terrance Devor Cc: NANOG list Subject: [EXTERNAL] Re: VoIP Provider DDoSes CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. Fail2Ban on a couple of dozen servers may not be sufficient to address 400 gigs of traffic. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Terrance Devor" To: "Mike Hammett" Cc: "NANOG" Sent: Wednesday, September 22, 2021 10:24:07 AM Subject: Re: VoIP Provider DDoSes Fail2Ban and give ourselves a pat on the back.. On Wed, Sep 22, 2021 at 9:12 AM Mike Hammett mailto:na...@ics-il.net>> wrote: https://twit.tv/shows/security-now/episodes/837?autostart=false It looks like Security Now covered this yesterday. They claimed that, "There is currently no provider of large pipe VoIP protocol DDoS protection." Are any of the cloud DDoS mitigation services offering a service like this. From: "Mike Hammett" mailto:na...@ics-il.net>> To: "NANOG" mailto:nanog@nanog.org>> Sent: Tuesday, September 21, 2021 4:19:42 PM Subject: VoIP Provider DDoSes As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
Re: VoIP Provider DDoSes
Fail2Ban on a couple of dozen servers may not be sufficient to address 400 gigs of traffic. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Terrance Devor" To: "Mike Hammett" Cc: "NANOG" Sent: Wednesday, September 22, 2021 10:24:07 AM Subject: Re: VoIP Provider DDoSes Fail2Ban and give ourselves a pat on the back.. On Wed, Sep 22, 2021 at 9:12 AM Mike Hammett < na...@ics-il.net > wrote: https://twit.tv/shows/security-now/episodes/837?autostart=false It looks like Security Now covered this yesterday. They claimed that, "There is currently no provider of large pipe VoIP protocol DDoS protection." Are any of the cloud DDoS mitigation services offering a service like this. From: "Mike Hammett" < na...@ics-il.net > To: "NANOG" < nanog@nanog.org > Sent: Tuesday, September 21, 2021 4:19:42 PM Subject: VoIP Provider DDoSes As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com
Re: VoIP Provider DDoSes
Fail2Ban and give ourselves a pat on the back.. On Wed, Sep 22, 2021 at 9:12 AM Mike Hammett wrote: > https://twit.tv/shows/security-now/episodes/837?autostart=false > > > It looks like Security Now covered this yesterday. They claimed that, > "There is currently no provider of large pipe VoIP protocol DDoS > protection." > > Are any of the cloud DDoS mitigation services offering a service like this. > > -- > *From: *"Mike Hammett" > *To: *"NANOG" > *Sent: *Tuesday, September 21, 2021 4:19:42 PM > *Subject: *VoIP Provider DDoSes > > As many may know, a particular VoIP supplier is suffering a DDoS. > https://twitter.com/voipms > > Are your garden variety DDoS mitigation platforms or services equipped to > handle DDoSes of VoIP services? What nuances does one have to be cognizant > of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > >
Re: EXTERNAL: Re: VoIP Provider DDoSes
Yes there are. I was about to message Steve about the correction. Corero and path.net are options. There are others. Ray Orsini Chief Executive Officer OIT, LLC 305.967.6756 x1009 | 305.571.6272 r...@oit.co | www.oit.co oit.co/ray How are we doing? We'd love to hear your feedback. https://go.oit.co/review From: NANOG on behalf of Mike Hammett Sent: Wednesday, September 22, 2021 9:08:22 AM To: NANOG Subject: EXTERNAL: Re: VoIP Provider DDoSes CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you are unsure, please forward this email to the CSE team for review. https://twit.tv/shows/security-now/episodes/837?autostart=false It looks like Security Now covered this yesterday. They claimed that, "There is currently no provider of large pipe VoIP protocol DDoS protection." Are any of the cloud DDoS mitigation services offering a service like this. From: "Mike Hammett" To: "NANOG" Sent: Tuesday, September 21, 2021 4:19:42 PM Subject: VoIP Provider DDoSes As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com
Re: VoIP Provider DDoSes
https://twit.tv/shows/security-now/episodes/837?autostart=false It looks like Security Now covered this yesterday. They claimed that, "There is currently no provider of large pipe VoIP protocol DDoS protection." Are any of the cloud DDoS mitigation services offering a service like this. - Original Message - From: "Mike Hammett" To: "NANOG" Sent: Tuesday, September 21, 2021 4:19:42 PM Subject: VoIP Provider DDoSes As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com
RE: [EXTERNAL] VoIP Provider DDoSes
Hi >Something you may want to consider is to put ACLs as far upstream as possible >from your SBCs and only allow through what you need to the SBCs. For example, >apply a filter only permitting UDP 5060 and your RTP port range to your SBCs >and then blocking everything else. This is free and should stop a lot of >>common DDoS attacks before they ever get to your SBCs. Even better if you >can get your upstream ISP to apply the ACL. DDoS attack traffic should be >dropped as close to the source as possible. Yes Attacks on voip have become more prevalent unfortunately. Another thing to consider is blocking fragments , which have been a major factor in the attacks I have seen in sip. But to do this you need to make sure that you are not exceeding mtu length in Invites, or block fragments only from untrusted IPs. Brian
Re: VoIP Provider DDoSes
Well, I suppose it depends on the type of DDoS. Some of their sites are hosted with large outfits like Softlayer and Hivelocity. Yeah, some others are a lot smaller. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Eric Kuhnke" To: "Mike Hammett" Cc: "NANOG" Sent: Tuesday, September 21, 2021 6:09:07 PM Subject: Re: VoIP Provider DDoSes Unlike http based services which can be placed behind cloudflare or similar, harder to protect sip trunking servers. The provider in question makes use of third party hosting services for each of their cities' POPs. It is my understanding that for the most part they do not run their own infrastructure but either rent dedicated servers or a few rack units of Colo in each city. I question whether some or any of those hosting companies have sufficient inbound (200-400Gbps) capacity to weather a moderately sized DDoS. On Tue, Sep 21, 2021, 5:30 PM Mike Hammett < na...@ics-il.net > wrote: As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com
Re: VoIP Provider DDoSes
Brandon, Actually, i work for a company that just purchased a start up that deals with DDOS for WebRTC, Websockets and grpc. Mike, I could see that, especially since HTTP 3.0 is UDP. On Tue, Sep 21, 2021 at 9:47 PM Brandon Svec via NANOG wrote: > Never heard of that one. WebRTC is maybe easier to protect from DDOS? > > Brandon > > > On Sep 21, 2021, at 5:37 PM, Michael Thomas wrote: > > > > Which makes SIPoHTTP an inevitability. > > > > Mike >
Re: VoIP Provider DDoSes
On 9/21/21 6:46 PM, Brandon Svec via NANOG wrote: Never heard of that one. WebRTC is maybe easier to protect from DDOS? I was just kidding/2. But webrtc don't have a signaling protocol. It can be SIP but it can be completely home brewed too. Mike Brandon On Sep 21, 2021, at 5:37 PM, Michael Thomas wrote: Which makes SIPoHTTP an inevitability. Mike
Re: VoIP Provider DDoSes
Never heard of that one. WebRTC is maybe easier to protect from DDOS? Brandon > On Sep 21, 2021, at 5:37 PM, Michael Thomas wrote: > > Which makes SIPoHTTP an inevitability. > > Mike
Re: VoIP Provider DDoSes
On 9/21/21 4:09 PM, Eric Kuhnke wrote: Unlike http based services which can be placed behind cloudflare or similar, harder to protect sip trunking servers. The provider in question makes use of third party hosting services for each of their cities' POPs. It is my understanding that for the most part they do not run their own infrastructure but either rent dedicated servers or a few rack units of Colo in each city. I question whether some or any of those hosting companies have sufficient inbound (200-400Gbps) capacity to weather a moderately sized DDoS. Which makes SIPoHTTP an inevitability. Mike
Re: VoIP Provider DDoSes
Unlike http based services which can be placed behind cloudflare or similar, harder to protect sip trunking servers. The provider in question makes use of third party hosting services for each of their cities' POPs. It is my understanding that for the most part they do not run their own infrastructure but either rent dedicated servers or a few rack units of Colo in each city. I question whether some or any of those hosting companies have sufficient inbound (200-400Gbps) capacity to weather a moderately sized DDoS. On Tue, Sep 21, 2021, 5:30 PM Mike Hammett wrote: > As many may know, a particular VoIP supplier is suffering a DDoS. > https://twitter.com/voipms > > Are your garden variety DDoS mitigation platforms or services equipped to > handle DDoSes of VoIP services? What nuances does one have to be cognizant > of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com >
Re: [EXTERNAL] VoIP Provider DDoSes
Something you may want to consider is to put ACLs as far upstream as possible from your SBCs and only allow through what you need to the SBCs. For example, apply a filter only permitting UDP 5060 and your RTP port range to your SBCs and then blocking everything else. This is free and should stop a lot of common DDoS attacks before they ever get to your SBCs. Even better if you can get your upstream ISP to apply the ACL. DDoS attack traffic should be dropped as close to the source as possible. -Rich From: Mike Hammett Date: Tuesday, September 21, 2021 at 4:39 PM To: "Compton, Rich A" Cc: NANOG list Subject: Re: [EXTERNAL] VoIP Provider DDoSes CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. *nods* We have a Metaswitch SBC. So as long as the pipe isn't full, an SBC is the buffer one needs? If the pipe is filled, pump it through {insert DDoS mitigation service here}? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Rich A Compton" To: "Mike Hammett" , "NANOG" Sent: Tuesday, September 21, 2021 4:59:06 PM Subject: Re: [EXTERNAL] VoIP Provider DDoSes Most of the larger DDoS mitigation appliances can block malformed SIP traffic and also can block volumetric/state exhaustion UDP floods. A lot of VoIP companies have Session Border Controllers (SBCs) to protect public facing VoIP services. SBCs are more application aware. Kind of like a proxy based firewall just for VoIP. -Rich From: NANOG on behalf of Mike Hammett Date: Tuesday, September 21, 2021 at 3:31 PM To: NANOG list Subject: [EXTERNAL] VoIP Provider DDoSes CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
Re: [EXTERNAL] VoIP Provider DDoSes
*nods* We have a Metaswitch SBC. So as long as the pipe isn't full, an SBC is the buffer one needs? If the pipe is filled, pump it through {insert DDoS mitigation service here}? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Rich A Compton" To: "Mike Hammett" , "NANOG" Sent: Tuesday, September 21, 2021 4:59:06 PM Subject: Re: [EXTERNAL] VoIP Provider DDoSes Most of the larger DDoS mitigation appliances can block malformed SIP traffic and also can block volumetric/state exhaustion UDP floods. A lot of VoIP companies have Session Border Controllers (SBCs) to protect public facing VoIP services. SBCs are more application aware. Kind of like a proxy based firewall just for VoIP. -Rich From: NANOG on behalf of Mike Hammett Date: Tuesday, September 21, 2021 at 3:31 PM To: NANOG list Subject: [EXTERNAL] VoIP Provider DDoSes CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
Re: [EXTERNAL] VoIP Provider DDoSes
Most of the larger DDoS mitigation appliances can block malformed SIP traffic and also can block volumetric/state exhaustion UDP floods. A lot of VoIP companies have Session Border Controllers (SBCs) to protect public facing VoIP services. SBCs are more application aware. Kind of like a proxy based firewall just for VoIP. -Rich From: NANOG on behalf of Mike Hammett Date: Tuesday, September 21, 2021 at 3:31 PM To: NANOG list Subject: [EXTERNAL] VoIP Provider DDoSes CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
Re: VoIP Provider DDoSes
Simwood's blog has a few articles from the past couple weeks with commentary on the attacks to voip providers in the UK. https://blog.simwood.com/2021/09/voip-ddos-fail-to-prepare/ On Tue, Sep 21, 2021 at 2:31 PM Mike Hammett wrote: > As many may know, a particular VoIP supplier is suffering a DDoS. > https://twitter.com/voipms > > Are your garden variety DDoS mitigation platforms or services equipped to > handle DDoSes of VoIP services? What nuances does one have to be cognizant > of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com >
VoIP Provider DDoSes
As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com