My experience of this in connection with various customers is that it’s just UDP fragments. Doesn’t appear to let up in response to a lack of stimuli (i.e. blocking ICMP unreachable responses from going back out doesn’t help), and doesn’t seem aimed at SIP / RTP services specifically in any discernible way.
Could be different elsewhere. — Alex > On Sep 27, 2021, at 5:21 PM, Ryan Delgrosso <ryandelgro...@gmail.com> wrote: > > Do we know this is a SIP/RTP targeted volumetric attack and those arent just > collateral damage in a more plebian attack aimed ad portals/apis or routers? > > I can understand them being tight lipped but some transparency helps the > situation. > > I wonder if DHS is involved yet? > > On 9/27/2021 1:48 PM, Jay Hennigan via VoiceOps wrote: >> On 9/27/21 13:30, Darren via VoiceOps wrote: >>> I know it’s hard to be patient but I can’t imagine they’re NOT all hands on >>> deck. >>> >>> The reality is probably that the DDoS attack is now so big, they can’t >>> handle it on their own, so they’re scrambling to contract out with another >>> provider who can handle it. That would explain why the BGP routes they >>> advertise have shifted. These DDoS products typically take weeks to setup, >>> so they’re likely having to scramble. I’ll be surprised if this does NOT >>> continue tomorrow (unfortunately). >> >> From my understanding this is not your typical volumetric DDoS but something >> specific to SIP or VoIP and thus the typical scrubbing services aren't going >> to be effective against the voice side of things. >> >> Obviously they are keeping things close to the vest in order not to give too >> much information to the bad guys but I agree that it may take some time to >> resolve. >> >>> *From: *VoiceOps <voiceops-boun...@voiceops.org> on behalf of Carlos >>> Alvarez <caalva...@gmail.com> >>> *Date: *Monday, September 27, 2021 at 1:23 PM >> >>> Generic SIP client here, and the ongoing "continue to investigate" notices >>> are infuriatingly like "we have no damn clue what we're doing." Try >>> explaining to customers why it's not "our fault*" and that there's no way >>> to estimate a repair time. >> >> I think the ongoing "continue to investigate" messages are fine. They're >> obviously dealing with a major incident and trying their best to keep their >> customers informed. This IMHO beats silence. >> >>> *Our fault for choosing them I guess, but not something we can fix in >>> minutes. >> >> The same thing could and has affected others. Voip.ms has been dealing with >> a similar attack for at least a week. We've had excellent service from >> Bandwidth for years and I trust that they will be able to get through this >> as well as anyone. >> >> It's the nature of the legacy PSTN that redundant providers or fast failover >> for inbound calling isn't (yet) a thing. >> > _______________________________________________ > VoiceOps mailing list > VoiceOps@voiceops.org > https://puck.nether.net/mailman/listinfo/voiceops -- Alex Balashov | Principal | Evariste Systems LLC Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/ _______________________________________________ VoiceOps mailing list VoiceOps@voiceops.org https://puck.nether.net/mailman/listinfo/voiceops