I sent this to NANOG recently, not even thinking that this list may get a better ROI. As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com
It?s pretty bad out there. voip.ms are definitely not the only ones being hit. I?ve got a customer that?s been getting hit for a week, though seemingly no ransom demand and may not be the same outfit.
On Sep 26, 2021, at 4:54 PM, Mike Hammett <voiceops at ics-il.net> wrote:
I sent this to NANOG recently, not even thinking that this list may get a better ROI.
As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms
Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest Internet Exchange http://www.midwest-ix.com
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
-- Alex Balashov | Principal | Evariste Systems LLC Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
A quick anecdote. One of our hosting providers (Hetzner) had a DDoS mitigation tool which blackholed our servers when they reached about 1500 concurrent call legs with RTP. That's about 75kpps in, which was presumably - and not entirely unreasonably - set as a threshold for DDoS attack detection. So, Mike, I'd observe that DDoS mitigation platforms may not even be equipped to handle regular IP telephony traffic, let alone deal with DDoS attacks :-) --Dave On Mon, Sep 27, 2021 at 12:26 AM Alex Balashov via VoiceOps < voiceops at voiceops.org> wrote:
It?s pretty bad out there. voip.ms are definitely not the only ones being hit. I?ve got a customer that?s been getting hit for a week, though seemingly no ransom demand and may not be the same outfit.
On Sep 26, 2021, at 4:54 PM, Mike Hammett <voiceops at ics-il.net> wrote:
I sent this to NANOG recently, not even thinking that this list may get a better ROI.
As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms
Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest Internet Exchange http://www.midwest-ix.com
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
-- Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Are any of you that are not using the public Internet to connect to Bandwidth facing issues? Moving to a PNI certainly resolves anything directly related to the public Internet, but if internal systems are overloaded, there's not much a PNI will do. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: Mike Hammett <voiceops at ics-il.net> To: VoiceOps <voiceops at voiceops.org> Sent: Sun, 26 Sep 2021 15:54:42 -0500 (CDT) Subject: [VoiceOps] VoIP Provider DDoSes I sent this to NANOG recently, not even thinking that this list may get a better ROI. As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com
Well, or anyone else lately facing DDoS attacks. VoIP.ms wouldn't really be in the same boat because they don't appear to run their own network. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: Mike Hammett <voiceops at ics-il.net> To: Mike Hammett <voiceops at ics-il.net> Cc: VoiceOps <voiceops at voiceops.org> Sent: Tue, 28 Sep 2021 08:11:33 -0500 (CDT) Subject: Re: [VoiceOps] VoIP Provider DDoSes Are any of you that are not using the public Internet to connect to Bandwidth facing issues? Moving to a PNI certainly resolves anything directly related to the public Internet, but if internal systems are overloaded, there's not much a PNI will do. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: Mike Hammett <voiceops at ics-il.net> To: VoiceOps <voiceops at voiceops.org> Sent: Sun, 26 Sep 2021 15:54:42 -0500 (CDT) Subject: [VoiceOps] VoIP Provider DDoSes I sent this to NANOG recently, not even thinking that this list may get a better ROI. As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com
On 26/09/2021 21:54, Mike Hammett wrote:
Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.
Without saying too much: Seems to be a spate of DDOS against UK based voip providers at the moment.?? For ransom.? Don't pay. One provider said that traditional approaches did not work. They tried Voxility but just got false positives.??? There are providers that do work. But in the UK a lot of traffic goes over peers through internet exchanges.? So just swapping transit only half the problem. Prep wise: So practice altering your IP advertisements, dropping and bringing up peers.? If you connect to route servers, practice doing selective announcements.? Try to get private interconnects to your upstream telco providers.??? Get your network teams warmed up for when it does happen.??? If you host with a cloud provider, have a backup because if DDOS is coming from the same cloud ..... Tim
Bandwidth.com is using cloudflares magic transit for DDOS protection. Seems to be working ok. CF says it doesn?t matter the protocol they can scrub the traffic. From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Tim Bray via VoiceOps Sent: Friday, October 01, 2021 9:34 AM To: voiceops at voiceops.org Subject: Re: [VoiceOps] VoIP Provider DDoSes On 26/09/2021 21:54, Mike Hammett wrote: Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. Without saying too much: Seems to be a spate of DDOS against UK based voip providers at the moment. For ransom. Don't pay. One provider said that traditional approaches did not work. They tried Voxility but just got false positives. There are providers that do work. But in the UK a lot of traffic goes over peers through internet exchanges. So just swapping transit only half the problem. Prep wise: So practice altering your IP advertisements, dropping and bringing up peers. If you connect to route servers, practice doing selective announcements. Try to get private interconnects to your upstream telco providers. Get your network teams warmed up for when it does happen. If you host with a cloud provider, have a backup because if DDOS is coming from the same cloud ..... Tim
Has been or is now? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Joseph Jackson" <jjackson at aninetworks.net> To: "Tim Bray" <tim at kooky.org>, voiceops at voiceops.org Sent: Saturday, October 2, 2021 9:43:23 AM Subject: Re: [VoiceOps] VoIP Provider DDoSes Bandwidth.com is using cloudflares magic transit for DDOS protection. Seems to be working ok. CF says it doesn?t matter the protocol they can scrub the traffic. From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Tim Bray via VoiceOps Sent: Friday, October 01, 2021 9:34 AM To: voiceops at voiceops.org Subject: Re: [VoiceOps] VoIP Provider DDoSes On 26/09/2021 21:54, Mike Hammett wrote: Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. Without saying too much: Seems to be a spate of DDOS against UK based voip providers at the moment. For ransom. Don't pay. One provider said that traditional approaches did not work. They tried Voxility but just got false positives. There are providers that do work. But in the UK a lot of traffic goes over peers through internet exchanges. So just swapping transit only half the problem. Prep wise: So practice altering your IP advertisements, dropping and bringing up peers. If you connect to route servers, practice doing selective announcements. Try to get private interconnects to your upstream telco providers. Get your network teams warmed up for when it does happen. If you host with a cloud provider, have a backup because if DDOS is coming from the same cloud ..... Tim _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Is now. If you look at their BGP announcements over the last week using something like bgplay you can see them move all their prefixes behind cloudflare. From: Mike Hammett [mailto:voiceops at ics-il.net] Sent: Saturday, October 02, 2021 10:30 AM To: Joseph Jackson Cc: Tim Bray; voiceops at voiceops.org Subject: Re: [VoiceOps] VoIP Provider DDoSes Has been or is now? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ________________________________ From: "Joseph Jackson" <jjackson at aninetworks.net> To: "Tim Bray" <tim at kooky.org>, voiceops at voiceops.org Sent: Saturday, October 2, 2021 9:43:23 AM Subject: Re: [VoiceOps] VoIP Provider DDoSes Bandwidth.com is using cloudflares magic transit for DDOS protection. Seems to be working ok. CF says it doesn?t matter the protocol they can scrub the traffic. From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Tim Bray via VoiceOps Sent: Friday, October 01, 2021 9:34 AM To: voiceops at voiceops.org Subject: Re: [VoiceOps] VoIP Provider DDoSes On 26/09/2021 21:54, Mike Hammett wrote: Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. Without saying too much: Seems to be a spate of DDOS against UK based voip providers at the moment. For ransom. Don't pay. One provider said that traditional approaches did not work. They tried Voxility but just got false positives. There are providers that do work. But in the UK a lot of traffic goes over peers through internet exchanges. So just swapping transit only half the problem. Prep wise: So practice altering your IP advertisements, dropping and bringing up peers. If you connect to route servers, practice doing selective announcements. Try to get private interconnects to your upstream telco providers. Get your network teams warmed up for when it does happen. If you host with a cloud provider, have a backup because if DDOS is coming from the same cloud ..... Tim _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
BGPlay is a good tool. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Joseph Jackson" <jjackson at aninetworks.net> To: "Mike Hammett" <voiceops at ics-il.net> Cc: "Tim Bray" <tim at kooky.org>, voiceops at voiceops.org Sent: Saturday, October 2, 2021 11:20:26 AM Subject: RE: [VoiceOps] VoIP Provider DDoSes Is now. If you look at their BGP announcements over the last week using something like bgplay you can see them move all their prefixes behind cloudflare. From: Mike Hammett [mailto:voiceops at ics-il.net] Sent: Saturday, October 02, 2021 10:30 AM To: Joseph Jackson Cc: Tim Bray; voiceops at voiceops.org Subject: Re: [VoiceOps] VoIP Provider DDoSes Has been or is now? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Joseph Jackson" <jjackson at aninetworks.net> To: "Tim Bray" <tim at kooky.org>, voiceops at voiceops.org Sent: Saturday, October 2, 2021 9:43:23 AM Subject: Re: [VoiceOps] VoIP Provider DDoSes Bandwidth.com is using cloudflares magic transit for DDOS protection. Seems to be working ok. CF says it doesn?t matter the protocol they can scrub the traffic. From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Tim Bray via VoiceOps Sent: Friday, October 01, 2021 9:34 AM To: voiceops at voiceops.org Subject: Re: [VoiceOps] VoIP Provider DDoSes On 26/09/2021 21:54, Mike Hammett wrote: Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. Without saying too much: Seems to be a spate of DDOS against UK based voip providers at the moment. For ransom. Don't pay. One provider said that traditional approaches did not work. They tried Voxility but just got false positives. There are providers that do work. But in the UK a lot of traffic goes over peers through internet exchanges. So just swapping transit only half the problem. Prep wise: So practice altering your IP advertisements, dropping and bringing up peers. If you connect to route servers, practice doing selective announcements. Try to get private interconnects to your upstream telco providers. Get your network teams warmed up for when it does happen. If you host with a cloud provider, have a backup because if DDOS is coming from the same cloud ..... Tim _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
For those that don't know what BGPlay is... https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource... ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Joseph Jackson" <jjackson at aninetworks.net> To: "Mike Hammett" <voiceops at ics-il.net> Cc: "Tim Bray" <tim at kooky.org>, voiceops at voiceops.org Sent: Saturday, October 2, 2021 11:20:26 AM Subject: RE: [VoiceOps] VoIP Provider DDoSes Is now. If you look at their BGP announcements over the last week using something like bgplay you can see them move all their prefixes behind cloudflare. From: Mike Hammett [mailto:voiceops at ics-il.net] Sent: Saturday, October 02, 2021 10:30 AM To: Joseph Jackson Cc: Tim Bray; voiceops at voiceops.org Subject: Re: [VoiceOps] VoIP Provider DDoSes Has been or is now? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Joseph Jackson" <jjackson at aninetworks.net> To: "Tim Bray" <tim at kooky.org>, voiceops at voiceops.org Sent: Saturday, October 2, 2021 9:43:23 AM Subject: Re: [VoiceOps] VoIP Provider DDoSes Bandwidth.com is using cloudflares magic transit for DDOS protection. Seems to be working ok. CF says it doesn?t matter the protocol they can scrub the traffic. From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Tim Bray via VoiceOps Sent: Friday, October 01, 2021 9:34 AM To: voiceops at voiceops.org Subject: Re: [VoiceOps] VoIP Provider DDoSes On 26/09/2021 21:54, Mike Hammett wrote: Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. Without saying too much: Seems to be a spate of DDOS against UK based voip providers at the moment. For ransom. Don't pay. One provider said that traditional approaches did not work. They tried Voxility but just got false positives. There are providers that do work. But in the UK a lot of traffic goes over peers through internet exchanges. So just swapping transit only half the problem. Prep wise: So practice altering your IP advertisements, dropping and bringing up peers. If you connect to route servers, practice doing selective announcements. Try to get private interconnects to your upstream telco providers. Get your network teams warmed up for when it does happen. If you host with a cloud provider, have a backup because if DDOS is coming from the same cloud ..... Tim _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Cloudflare made another blog post about what kinds of traffic they are seeing. https://blog.cloudflare.com/update-on-voip-attacks/ One problem is if Cloudflare drops UDP fragments, that could cause some calls to fail and others not to. Especially now with SHAKEN/STIR certs in the headers and people putting every codec known to man on the INVITEs. Verizon specifically mentioned UDP fragments in the email notice before they put S/S on TF Inbound. So cloudflare magic transit isn't necessarily the easy button for protecting VoIP traffic but it would definitely help keep a network alive and processing calls during an attack. On Mon, Oct 4, 2021 at 6:24 AM Mike Hammett <voiceops at ics-il.net> wrote:
For those that don't know what BGPlay is...
https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource...
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest Internet Exchange http://www.midwest-ix.com
------------------------------ *From: *"Joseph Jackson" <jjackson at aninetworks.net> *To: *"Mike Hammett" <voiceops at ics-il.net> *Cc: *"Tim Bray" <tim at kooky.org>, voiceops at voiceops.org *Sent: *Saturday, October 2, 2021 11:20:26 AM *Subject: *RE: [VoiceOps] VoIP Provider DDoSes
Is now. If you look at their BGP announcements over the last week using something like bgplay you can see them move all their prefixes behind cloudflare.
*From:* Mike Hammett [mailto:voiceops at ics-il.net] *Sent:* Saturday, October 02, 2021 10:30 AM *To:* Joseph Jackson *Cc:* Tim Bray; voiceops at voiceops.org *Subject:* Re: [VoiceOps] VoIP Provider DDoSes
Has been or is now?
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest Internet Exchange http://www.midwest-ix.com
------------------------------
*From: *"Joseph Jackson" <jjackson at aninetworks.net> *To: *"Tim Bray" <tim at kooky.org>, voiceops at voiceops.org *Sent: *Saturday, October 2, 2021 9:43:23 AM *Subject: *Re: [VoiceOps] VoIP Provider DDoSes
Bandwidth.com is using cloudflares magic transit for DDOS protection. Seems to be working ok. CF says it doesn?t matter the protocol they can scrub the traffic.
*From:* VoiceOps [mailto:voiceops-bounces at voiceops.org] *On Behalf Of *Tim Bray via VoiceOps *Sent:* Friday, October 01, 2021 9:34 AM *To:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] VoIP Provider DDoSes
On 26/09/2021 21:54, Mike Hammett wrote:
Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.
Without saying too much:
Seems to be a spate of DDOS against UK based voip providers at the moment. For ransom. Don't pay.
One provider said that traditional approaches did not work. They tried Voxility but just got false positives. There are providers that do work.
But in the UK a lot of traffic goes over peers through internet exchanges. So just swapping transit only half the problem.
Prep wise:
So practice altering your IP advertisements, dropping and bringing up peers. If you connect to route servers, practice doing selective announcements. Try to get private interconnects to your upstream telco providers. Get your network teams warmed up for when it does happen. If you host with a cloud provider, have a backup because if DDOS is coming from the same cloud .....
Tim
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
UDP fragments have been a problem for years. mitigations historically have been to turn off spare codecs.? On snom phones, turn off fancy features. Tbh, the only really modern mitigation is just to use SIP over TLS and taking UDP out of the mix for everything except media. Tim On 07/10/2021 23:34, Jared Geiger wrote:
Cloudflare made another blog post about what kinds of traffic they are seeing. https://blog.cloudflare.com/update-on-voip-attacks/ <https://blog.cloudflare.com/update-on-voip-attacks/>
One problem is if Cloudflare drops UDP fragments, that could cause some calls to fail and others not to. Especially now with SHAKEN/STIR certs in the headers and people putting every codec known to man on the INVITEs. Verizon specifically mentioned UDP fragments in the email notice before they put S/S on TF Inbound. So cloudflare magic transit isn't necessarily the easy button for protecting VoIP traffic but it would definitely help keep a network alive and processing calls during an attack.
On Mon, Oct 4, 2021 at 6:24 AM Mike Hammett <voiceops at ics-il.net <mailto:voiceops at ics-il.net>> wrote:
For those that don't know what BGPlay is...
https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource... <https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource...>
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com <http://www.ics-il.com>
Midwest Internet Exchange http://www.midwest-ix.com <http://www.midwest-ix.com>
------------------------------------------------------------------------ *From: *"Joseph Jackson" <jjackson at aninetworks.net <mailto:jjackson at aninetworks.net>> *To: *"Mike Hammett" <voiceops at ics-il.net <mailto:voiceops at ics-il.net>> *Cc: *"Tim Bray" <tim at kooky.org <mailto:tim at kooky.org>>, voiceops at voiceops.org <mailto:voiceops at voiceops.org> *Sent: *Saturday, October 2, 2021 11:20:26 AM *Subject: *RE: [VoiceOps] VoIP Provider DDoSes
Is now.? If you look at their BGP announcements over the last week using something like bgplay you can see them move all their prefixes behind cloudflare.
*From:*Mike Hammett [mailto:voiceops at ics-il.net <mailto:voiceops at ics-il.net>] *Sent:* Saturday, October 02, 2021 10:30 AM *To:* Joseph Jackson *Cc:* Tim Bray; voiceops at voiceops.org <mailto:voiceops at voiceops.org> *Subject:* Re: [VoiceOps] VoIP Provider DDoSes
Has been or is now?
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com <http://www.ics-il.com>
Midwest Internet Exchange http://www.midwest-ix.com <http://www.midwest-ix.com>
------------------------------------------------------------------------
*From: *"Joseph Jackson" <jjackson at aninetworks.net <mailto:jjackson at aninetworks.net>> *To: *"Tim Bray" <tim at kooky.org <mailto:tim at kooky.org>>, voiceops at voiceops.org <mailto:voiceops at voiceops.org> *Sent: *Saturday, October 2, 2021 9:43:23 AM *Subject: *Re: [VoiceOps] VoIP Provider DDoSes
Bandwidth.com is using cloudflares magic transit for DDOS protection.? Seems to be working ok.? CF says it doesn?t matter the protocol they can scrub the traffic.
*From:*VoiceOps [mailto:voiceops-bounces at voiceops.org <mailto:voiceops-bounces at voiceops.org>] *On Behalf Of *Tim Bray via VoiceOps *Sent:* Friday, October 01, 2021 9:34 AM *To:* voiceops at voiceops.org <mailto:voiceops at voiceops.org> *Subject:* Re: [VoiceOps] VoIP Provider DDoSes
On 26/09/2021 21:54, Mike Hammett wrote:
Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.
Without saying too much:
Seems to be a spate of DDOS against UK based voip providers at the moment.?? For ransom.? Don't pay.
One provider said that traditional approaches did not work. They tried Voxility but just got false positives.??? There are providers that do work.
But in the UK a lot of traffic goes over peers through internet exchanges.? So just swapping transit only half the problem.
Prep wise:
So practice altering your IP advertisements, dropping and bringing up peers.? If you connect to route servers, practice doing selective announcements.? Try to get private interconnects to your upstream telco providers.??? Get your network teams warmed up for when it does happen.??? If you host with a cloud provider, have a backup because if DDOS is coming from the same cloud .....
Tim
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops <https://puck.nether.net/mailman/listinfo/voiceops>
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops <https://puck.nether.net/mailman/listinfo/voiceops>
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
I would agree, but modify this advice to read: ?TCP or TLS to the edge for end-users, then step down to UDP with big MTUs inside the service provider core.? ? Sent from mobile, with due apologies for brevity and errors.
On Oct 8, 2021, at 8:25 AM, Tim Bray via VoiceOps <voiceops at voiceops.org> wrote:
? UDP fragments have been a problem for years.
mitigations historically have been to turn off spare codecs. On snom phones, turn off fancy features.
Tbh, the only really modern mitigation is just to use SIP over TLS and taking UDP out of the mix for everything except media.
Tim
On 07/10/2021 23:34, Jared Geiger wrote:
Cloudflare made another blog post about what kinds of traffic they are seeing. https://blog.cloudflare.com/update-on-voip-attacks/
One problem is if Cloudflare drops UDP fragments, that could cause some calls to fail and others not to. Especially now with SHAKEN/STIR certs in the headers and people putting every codec known to man on the INVITEs. Verizon specifically mentioned UDP fragments in the email notice before they put S/S on TF Inbound. So cloudflare magic transit isn't necessarily the easy button for protecting VoIP traffic but it would definitely help keep a network alive and processing calls during an attack.
On Mon, Oct 4, 2021 at 6:24 AM Mike Hammett <voiceops at ics-il.net> wrote:
For those that don't know what BGPlay is...
https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource...
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest Internet Exchange http://www.midwest-ix.com
From: "Joseph Jackson" <jjackson at aninetworks.net> To: "Mike Hammett" <voiceops at ics-il.net> Cc: "Tim Bray" <tim at kooky.org>, voiceops at voiceops.org Sent: Saturday, October 2, 2021 11:20:26 AM Subject: RE: [VoiceOps] VoIP Provider DDoSes
Is now. If you look at their BGP announcements over the last week using something like bgplay you can see them move all their prefixes behind cloudflare.
From: Mike Hammett [mailto:voiceops at ics-il.net] Sent: Saturday, October 02, 2021 10:30 AM To: Joseph Jackson Cc: Tim Bray; voiceops at voiceops.org Subject: Re: [VoiceOps] VoIP Provider DDoSes
Has been or is now?
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest Internet Exchange http://www.midwest-ix.com
From: "Joseph Jackson" <jjackson at aninetworks.net> To: "Tim Bray" <tim at kooky.org>, voiceops at voiceops.org Sent: Saturday, October 2, 2021 9:43:23 AM Subject: Re: [VoiceOps] VoIP Provider DDoSes
Bandwidth.com is using cloudflares magic transit for DDOS protection. Seems to be working ok. CF says it doesn?t matter the protocol they can scrub the traffic.
From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Tim Bray via VoiceOps Sent: Friday, October 01, 2021 9:34 AM To: voiceops at voiceops.org Subject: Re: [VoiceOps] VoIP Provider DDoSes
On 26/09/2021 21:54, Mike Hammett wrote:
Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.
Without saying too much:
Seems to be a spate of DDOS against UK based voip providers at the moment. For ransom. Don't pay.
One provider said that traditional approaches did not work. They tried Voxility but just got false positives. There are providers that do work.
But in the UK a lot of traffic goes over peers through internet exchanges. So just swapping transit only half the problem.
Prep wise:
So practice altering your IP advertisements, dropping and bringing up peers. If you connect to route servers, practice doing selective announcements. Try to get private interconnects to your upstream telco providers. Get your network teams warmed up for when it does happen. If you host with a cloud provider, have a backup because if DDOS is coming from the same cloud .....
Tim
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
participants (6)
-
abalashov@evaristesys.com -
david.knell@telng.com -
jared@compuwizz.net -
jjackson@aninetworks.net -
tim@kooky.org -
voiceops@ics-il.net