. DDOS Attacks and ITSP's
Ryan, This is a great discussion to start. I can't contribute at this time, but I certainly plan on giving you guys all of the information about what we at VI have been doing, what has worked, what hasn't worked, what we saw, what we didn't see, etc. Certain contacts may not allow me to name company names, but I still think we can give out enough information to be useful. We definitely plan on giving this information out. Like you said, events like these are typically embarrassing and companies don't like to come out and describe exactly how negligent or naive they were to allow it. I feel that getting the knowledge out there is much more important than our pride though. Right now, we're not giving out a whole lot of information on what we are doing in fear that it will be "used against us." I do somewhat agree with your assessment about these people knowing this stuff already, but at this point we don't want to take the chance (as irrational as that seems). Once we're in a more stable place, I will certainly work with our Networking Engineer, Owner, and Operations Manager on trying to talk them into giving out the most information possible to arm you guys in the event that this occurs to any of you. In the meantime, if you have any questions, please feel free to email me. I will do my best to help as much as I can. Timothy Linn Lead Systems Engineer Voip Innovations Sent from my Verizon Wireless 4G LTE smartphone -------- Original message -------- From: voiceops-request at voiceops.org Date: 2016/03/19 12:00 (GMT-05:00) To: voiceops at voiceops.org Subject: VoiceOps Digest, Vol 81, Issue 38 ---------------------------------------------------------------------- Message: 1 Date: Fri, 18 Mar 2016 17:07:56 -0700 From: Ryan Delgrosso <ryandelgrosso at gmail.com> To: "voiceops at voiceops.org" <voiceops at voiceops.org> Subject: [VoiceOps] DDOS Attacks and ITSP's Message-ID: <56EC985C.6050203 at gmail.com> Content-Type: text/plain; charset="utf-8"; Format="flowed" With the current mega-thread about VI I figured I would get an educational discussion going about DDOS. Search the archives, Ive probably started this discussion a few times in the past but each time the context is different. I have given talks at several different venues (anyone here a CFCA member, or been to a Metaswitch forum event?) about DDOS and what the current arsenal of internet attacks means to voice. Unfortunately many network operators treat DDOS like a shameful thing and don't share information about it. This makes it that much harder for network operators to do the right thing and take meaningful and decisive action and ultimately makes the jobs of the attackers that much easier. Keep in mind sharing these kinds of tactics isn't "helping the attackers". They know this stuff. Its OK to tell them what they know. Who doesn't know this stuff are other operators that haven't been hit yet. Have you been hit by DDOS? Have you built out solutions to cope with DDOS? Ill start things off: 1. How do you know its a DDOS and something isn't just broken? 1. netflow 2. SBC retransmissions (this will often be your first warning) 3. Significant deviation from normal traffic volumes 2. As a VoIP carrier, my network looks like a DDOS attack all the time (oodles of UDP traffic). this makes most commercial solutions a square peg / round hole problem. 3. DDOS survivability must be designed into the network not bolted on. 1. Place Access SBC's, Peering SBC's, Webservers, etc on different networks and on different BGP adertisements. 2. Have multiple access SBC's on different networks / routers / BGP advertisements 3. Use DNS to home ALL clients. When your Access SBC succumbs to a reflection attack you can flip your customers using SRV records to the surviving SBC's. Customers using straight IP will remain down. 4. Use CDN networks like Cloudflare / Cloudfront or just put webservers in EC2. Keep web away from voice. Webservers are attack magnets. 5. Build defense in depth. Your network is a medieval castle, have moats and walls and soldiers. 4. Be a good netizen. If you are an ISP, implement BCP38. No open DNS recursors, no open NTP or SNMP services that are reflection targets. Leave no loaded weapons for others in your network. 5. Traffic scrubbing services typically don't mix well with VoIP carriers. This is basically the TSA of the network. (there are exceptions, the price tags have commas). 6. How do you go about testing your protections? Don't just sit smugly in your house made of straw. 7. Most upstream carrier DDOS protection strategies include "blackhole the destination to protect the network". This saves them but accomplishes your attackers goal. 8. Do you know how big of a DDOS it actually takes to hurt you? Ill bet its less than you think. So lets hear it. Who has experience on this front? What would you like to share? Comments on the above? -Ryan This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received this message in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Unauthorized interception of this e-mail is a violation of federal criminal law. We reserve the right, when permitted by law, to scan electronic communications, including e-mail and instant messaging, for the purposes of security and compliance with our internal policy.
Just in case anyone may have any doubts? ARIN is again under the attack (2nd time this month). I don?t know of _who_ else may have more expertise in developing and deploying attack mitigation solutions than ARIN. IMHO - it?s going worsen soon because of another vicious cycle of ?deregulations? and passing on more control over the Internet to 3rd (foreign) parties. == Date: Fri, 18 Mar 2016 15:37:48 -0400 From: ARIN <info at arin.net <mailto:info at arin.net>> To: arin-announce at arin.net <mailto:arin-announce at arin.net> Subject: [arin-announce] ARIN DDoS Attack Message-ID: <56EC590C.1030902 at arin.net <mailto:56EC590C.1030902 at arin.net>> Content-Type: text/plain; charset=utf-8; format=flowed Starting at 1:25 PM EDT on Friday, 18 March, a DDoS attack began against ARIN. This was and continues to be a sustained attack against our provisioning services, email, and website. We initiated our DDoS mitigation plan and are in the process of mitigating various types of attack traffic patterns. All our other public-facing services (Whois, Whois-RWS, RDAP, DNS, IRR, and RPKI repository services) are not affected by this attack and are operating normally. We will announce an all clear 24 hours after the attacks have stopped. Regards, Mark Kosters Chief Technology Officer American Registry for Internet Numbers (ARIN) == I have reasons of not wanting to provide my address nor name. ==
On Mar 19, 2016, at 12:42 PM, Tim Linn <timothyl at voipinnovations.com> wrote:
Ryan,
This is a great discussion to start. I can't contribute at this time, but I certainly plan on giving you guys all of the information about what we at VI have been doing, what has worked, what hasn't worked, what we saw, what we didn't see, etc. Certain contacts may not allow me to name company names, but I still think we can give out enough information to be useful.
We definitely plan on giving this information out. Like you said, events like these are typically embarrassing and companies don't like to come out and describe exactly how negligent or naive they were to allow it.
I feel that getting the knowledge out there is much more important than our pride though. Right now, we're not giving out a whole lot of information on what we are doing in fear that it will be "used against us." I do somewhat agree with your assessment about these people knowing this stuff already, but at this point we don't want to take the chance (as irrational as that seems).
Once we're in a more stable place, I will certainly work with our Networking Engineer, Owner, and Operations Manager on trying to talk them into giving out the most information possible to arm you guys in the event that this occurs to any of you.
In the meantime, if you have any questions, please feel free to email me. I will do my best to help as much as I can.
Timothy Linn Lead Systems Engineer Voip Innovations
Sent from my Verizon Wireless 4G LTE smartphone
-------- Original message -------- From: voiceops-request at voiceops.org Date: 2016/03/19 12:00 (GMT-05:00) To: voiceops at voiceops.org Subject: VoiceOps Digest, Vol 81, Issue 38
----------------------------------------------------------------------
Message: 1 Date: Fri, 18 Mar 2016 17:07:56 -0700 From: Ryan Delgrosso <ryandelgrosso at gmail.com> To: "voiceops at voiceops.org" <voiceops at voiceops.org> Subject: [VoiceOps] DDOS Attacks and ITSP's Message-ID: <56EC985C.6050203 at gmail.com> Content-Type: text/plain; charset="utf-8"; Format="flowed"
With the current mega-thread about VI I figured I would get an educational discussion going about DDOS. Search the archives, Ive probably started this discussion a few times in the past but each time the context is different.
I have given talks at several different venues (anyone here a CFCA member, or been to a Metaswitch forum event?) about DDOS and what the current arsenal of internet attacks means to voice. Unfortunately many network operators treat DDOS like a shameful thing and don't share information about it. This makes it that much harder for network operators to do the right thing and take meaningful and decisive action and ultimately makes the jobs of the attackers that much easier.
Keep in mind sharing these kinds of tactics isn't "helping the attackers". They know this stuff. Its OK to tell them what they know. Who doesn't know this stuff are other operators that haven't been hit yet.
Have you been hit by DDOS? Have you built out solutions to cope with DDOS?
Ill start things off:
1. How do you know its a DDOS and something isn't just broken? 1. netflow 2. SBC retransmissions (this will often be your first warning) 3. Significant deviation from normal traffic volumes 2. As a VoIP carrier, my network looks like a DDOS attack all the time (oodles of UDP traffic). this makes most commercial solutions a square peg / round hole problem. 3. DDOS survivability must be designed into the network not bolted on. 1. Place Access SBC's, Peering SBC's, Webservers, etc on different networks and on different BGP adertisements. 2. Have multiple access SBC's on different networks / routers / BGP advertisements 3. Use DNS to home ALL clients. When your Access SBC succumbs to a reflection attack you can flip your customers using SRV records to the surviving SBC's. Customers using straight IP will remain down. 4. Use CDN networks like Cloudflare / Cloudfront or just put webservers in EC2. Keep web away from voice. Webservers are attack magnets. 5. Build defense in depth. Your network is a medieval castle, have moats and walls and soldiers. 4. Be a good netizen. If you are an ISP, implement BCP38. No open DNS recursors, no open NTP or SNMP services that are reflection targets. Leave no loaded weapons for others in your network. 5. Traffic scrubbing services typically don't mix well with VoIP carriers. This is basically the TSA of the network. (there are exceptions, the price tags have commas). 6. How do you go about testing your protections? Don't just sit smugly in your house made of straw. 7. Most upstream carrier DDOS protection strategies include "blackhole the destination to protect the network". This saves them but accomplishes your attackers goal. 8. Do you know how big of a DDOS it actually takes to hurt you? Ill bet its less than you think.
So lets hear it. Who has experience on this front? What would you like to share? Comments on the above?
-Ryan This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received this message in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Unauthorized interception of this e-mail is a violation of federal criminal law. We reserve the right, when permitted by law, to scan electronic communications, including e-mail and instant messaging, for the purposes of security and compliance with our internal policy. _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
"24 hours" might be naively optimistic in this day and age... -- NAthan From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of GregoryB Sent: Saturday, March 19, 2016 10:28 AM To: voiceops at voiceops.org Subject: Re: [VoiceOps] . DDOS Attacks and ITSP's Just in case anyone may have any doubts? ARIN is again under the attack (2nd time this month). I don?t know of _who_ else may have more expertise in developing and deploying attack mitigation solutions than ARIN. IMHO - it?s going worsen soon because of another vicious cycle of ?deregulations? and passing on more control over the Internet to 3rd (foreign) parties. == Date: Fri, 18 Mar 2016 15:37:48 -0400 From: ARIN <info at arin.net<mailto:info at arin.net>> To: arin-announce at arin.net<mailto:arin-announce at arin.net> Subject: [arin-announce] ARIN DDoS Attack Message-ID: <56EC590C.1030902 at arin.net<mailto:56EC590C.1030902 at arin.net>> Content-Type: text/plain; charset=utf-8; format=flowed Starting at 1:25 PM EDT on Friday, 18 March, a DDoS attack began against ARIN. This was and continues to be a sustained attack against our provisioning services, email, and website. We initiated our DDoS mitigation plan and are in the process of mitigating various types of attack traffic patterns. All our other public-facing services (Whois, Whois-RWS, RDAP, DNS, IRR, and RPKI repository services) are not affected by this attack and are operating normally. We will announce an all clear 24 hours after the attacks have stopped. Regards, Mark Kosters Chief Technology Officer American Registry for Internet Numbers (ARIN) == I have reasons of not wanting to provide my address nor name. == On Mar 19, 2016, at 12:42 PM, Tim Linn <timothyl at voipinnovations.com<mailto:timothyl at voipinnovations.com>> wrote: Ryan, This is a great discussion to start. I can't contribute at this time, but I certainly plan on giving you guys all of the information about what we at VI have been doing, what has worked, what hasn't worked, what we saw, what we didn't see, etc. Certain contacts may not allow me to name company names, but I still think we can give out enough information to be useful. We definitely plan on giving this information out. Like you said, events like these are typically embarrassing and companies don't like to come out and describe exactly how negligent or naive they were to allow it. I feel that getting the knowledge out there is much more important than our pride though. Right now, we're not giving out a whole lot of information on what we are doing in fear that it will be "used against us." I do somewhat agree with your assessment about these people knowing this stuff already, but at this point we don't want to take the chance (as irrational as that seems). Once we're in a more stable place, I will certainly work with our Networking Engineer, Owner, and Operations Manager on trying to talk them into giving out the most information possible to arm you guys in the event that this occurs to any of you. In the meantime, if you have any questions, please feel free to email me. I will do my best to help as much as I can. Timothy Linn Lead Systems Engineer Voip Innovations Sent from my Verizon Wireless 4G LTE smartphone -------- Original message -------- From: voiceops-request at voiceops.org<mailto:voiceops-request at voiceops.org> Date: 2016/03/19 12:00 (GMT-05:00) To: voiceops at voiceops.org<mailto:voiceops at voiceops.org> Subject: VoiceOps Digest, Vol 81, Issue 38 ---------------------------------------------------------------------- Message: 1 Date: Fri, 18 Mar 2016 17:07:56 -0700 From: Ryan Delgrosso <ryandelgrosso at gmail.com<mailto:ryandelgrosso at gmail.com>> To: "voiceops at voiceops.org<mailto:voiceops at voiceops.org>" <voiceops at voiceops.org<mailto:voiceops at voiceops.org>> Subject: [VoiceOps] DDOS Attacks and ITSP's Message-ID: <56EC985C.6050203 at gmail.com<mailto:56EC985C.6050203 at gmail.com>> Content-Type: text/plain; charset="utf-8"; Format="flowed" With the current mega-thread about VI I figured I would get an educational discussion going about DDOS. Search the archives, Ive probably started this discussion a few times in the past but each time the context is different. I have given talks at several different venues (anyone here a CFCA member, or been to a Metaswitch forum event?) about DDOS and what the current arsenal of internet attacks means to voice. Unfortunately many network operators treat DDOS like a shameful thing and don't share information about it. This makes it that much harder for network operators to do the right thing and take meaningful and decisive action and ultimately makes the jobs of the attackers that much easier. Keep in mind sharing these kinds of tactics isn't "helping the attackers". They know this stuff. Its OK to tell them what they know. Who doesn't know this stuff are other operators that haven't been hit yet. Have you been hit by DDOS? Have you built out solutions to cope with DDOS? Ill start things off: 1. How do you know its a DDOS and something isn't just broken? 1. netflow 2. SBC retransmissions (this will often be your first warning) 3. Significant deviation from normal traffic volumes 2. As a VoIP carrier, my network looks like a DDOS attack all the time (oodles of UDP traffic). this makes most commercial solutions a square peg / round hole problem. 3. DDOS survivability must be designed into the network not bolted on. 1. Place Access SBC's, Peering SBC's, Webservers, etc on different networks and on different BGP adertisements. 2. Have multiple access SBC's on different networks / routers / BGP advertisements 3. Use DNS to home ALL clients. When your Access SBC succumbs to a reflection attack you can flip your customers using SRV records to the surviving SBC's. Customers using straight IP will remain down. 4. Use CDN networks like Cloudflare / Cloudfront or just put webservers in EC2. Keep web away from voice. Webservers are attack magnets. 5. Build defense in depth. Your network is a medieval castle, have moats and walls and soldiers. 4. Be a good netizen. If you are an ISP, implement BCP38. No open DNS recursors, no open NTP or SNMP services that are reflection targets. Leave no loaded weapons for others in your network. 5. Traffic scrubbing services typically don't mix well with VoIP carriers. This is basically the TSA of the network. (there are exceptions, the price tags have commas). 6. How do you go about testing your protections? Don't just sit smugly in your house made of straw. 7. Most upstream carrier DDOS protection strategies include "blackhole the destination to protect the network". This saves them but accomplishes your attackers goal. 8. Do you know how big of a DDOS it actually takes to hurt you? Ill bet its less than you think. So lets hear it. Who has experience on this front? What would you like to share? Comments on the above? -Ryan This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received this message in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Unauthorized interception of this e-mail is a violation of federal criminal law. We reserve the right, when permitted by law, to scan electronic communications, including e-mail and instant messaging, for the purposes of security and compliance with our internal policy. _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
I don?t know of _who_ else may have more expertise in developing and deploying attack mitigation solutions than ARIN.
Get real, just because they assign IP's and ASN's does not mean that they have dpi expertise.... !
IMHO - it?s going worsen soon because of another vicious cycle of ?deregulations? and passing on more control over the Internet to 3rd (foreign) parties.
That is a bunch of Bull !, and fear mongering.... ARIN is an organization that manages assignment... they are not a Traffic COP nor are they responsible for checking packet content ! Faisal Imtiaz Snappy Internet & Telecom
From: "GregoryB" <gb20090101 at gmail.com> To: "voiceops at voiceops.org" <voiceops at voiceops.org> Sent: Saturday, March 19, 2016 1:28:01 PM Subject: Re: [VoiceOps] . DDOS Attacks and ITSP's
Just in case anyone may have any doubts? ARIN is again under the attack (2nd time this month). I don?t know of _who_ else may have more expertise in developing and deploying attack mitigation solutions than ARIN. IMHO - it?s going worsen soon because of another vicious cycle of ?deregulations? and passing on more control over the Internet to 3rd (foreign) parties. == Date: Fri, 18 Mar 2016 15:37:48 -0400 From: ARIN < info at arin.net > To: arin-announce at arin.net Subject: [arin-announce] ARIN DDoS Attack Message-ID: < 56EC590C.1030902 at arin.net > Content-Type: text/plain; charset=utf-8; format=flowed
Starting at 1:25 PM EDT on Friday, 18 March, a DDoS attack began against ARIN. This was and continues to be a sustained attack against our provisioning services, email, and website. We initiated our DDoS mitigation plan and are in the process of mitigating various types of attack traffic patterns. All our other public-facing services (Whois, Whois-RWS, RDAP, DNS, IRR, and RPKI repository services) are not affected by this attack and are operating normally.
We will announce an all clear 24 hours after the attacks have stopped.
Regards,
Mark Kosters Chief Technology Officer American Registry for Internet Numbers (ARIN) ==
I have reasons of not wanting to provide my address nor name. ==
On Mar 19, 2016, at 12:42 PM, Tim Linn < timothyl at voipinnovations.com > wrote: Ryan,
This is a great discussion to start. I can't contribute at this time, but I certainly plan on giving you guys all of the information about what we at VI have been doing, what has worked, what hasn't worked, what we saw, what we didn't see, etc. Certain contacts may not allow me to name company names, but I still think we can give out enough information to be useful.
We definitely plan on giving this information out. Like you said, events like these are typically embarrassing and companies don't like to come out and describe exactly how negligent or naive they were to allow it.
I feel that getting the knowledge out there is much more important than our pride though. Right now, we're not giving out a whole lot of information on what we are doing in fear that it will be "used against us." I do somewhat agree with your assessment about these people knowing this stuff already, but at this point we don't want to take the chance (as irrational as that seems).
Once we're in a more stable place, I will certainly work with our Networking Engineer, Owner, and Operations Manager on trying to talk them into giving out the most information possible to arm you guys in the event that this occurs to any of you.
In the meantime, if you have any questions, please feel free to email me. I will do my best to help as much as I can.
Timothy Linn Lead Systems Engineer Voip Innovations
Sent from my Verizon Wireless 4G LTE smartphone
-------- Original message -------- From: voiceops-request at voiceops.org Date: 2016/03/19 12:00 (GMT-05:00) To: voiceops at voiceops.org Subject: VoiceOps Digest, Vol 81, Issue 38
----------------------------------------------------------------------
Message: 1 Date: Fri, 18 Mar 2016 17:07:56 -0700 From: Ryan Delgrosso < ryandelgrosso at gmail.com > To: " voiceops at voiceops.org " < voiceops at voiceops.org > Subject: [VoiceOps] DDOS Attacks and ITSP's Message-ID: < 56EC985C.6050203 at gmail.com > Content-Type: text/plain; charset="utf-8"; Format="flowed"
With the current mega-thread about VI I figured I would get an educational discussion going about DDOS. Search the archives, Ive probably started this discussion a few times in the past but each time the context is different.
I have given talks at several different venues (anyone here a CFCA member, or been to a Metaswitch forum event?) about DDOS and what the current arsenal of internet attacks means to voice. Unfortunately many network operators treat DDOS like a shameful thing and don't share information about it. This makes it that much harder for network operators to do the right thing and take meaningful and decisive action and ultimately makes the jobs of the attackers that much easier.
Keep in mind sharing these kinds of tactics isn't "helping the attackers". They know this stuff. Its OK to tell them what they know. Who doesn't know this stuff are other operators that haven't been hit yet.
Have you been hit by DDOS? Have you built out solutions to cope with DDOS?
Ill start things off:
1. How do you know its a DDOS and something isn't just broken? 1. netflow 2. SBC retransmissions (this will often be your first warning) 3. Significant deviation from normal traffic volumes 2. As a VoIP carrier, my network looks like a DDOS attack all the time (oodles of UDP traffic). this makes most commercial solutions a square peg / round hole problem. 3. DDOS survivability must be designed into the network not bolted on. 1. Place Access SBC's, Peering SBC's, Webservers, etc on different networks and on different BGP adertisements. 2. Have multiple access SBC's on different networks / routers / BGP advertisements 3. Use DNS to home ALL clients. When your Access SBC succumbs to a reflection attack you can flip your customers using SRV records to the surviving SBC's. Customers using straight IP will remain down. 4. Use CDN networks like Cloudflare / Cloudfront or just put webservers in EC2. Keep web away from voice. Webservers are attack magnets. 5. Build defense in depth. Your network is a medieval castle, have moats and walls and soldiers. 4. Be a good netizen. If you are an ISP, implement BCP38. No open DNS recursors, no open NTP or SNMP services that are reflection targets. Leave no loaded weapons for others in your network. 5. Traffic scrubbing services typically don't mix well with VoIP carriers. This is basically the TSA of the network. (there are exceptions, the price tags have commas). 6. How do you go about testing your protections? Don't just sit smugly in your house made of straw. 7. Most upstream carrier DDOS protection strategies include "blackhole the destination to protect the network". This saves them but accomplishes your attackers goal. 8. Do you know how big of a DDOS it actually takes to hurt you? Ill bet its less than you think.
So lets hear it. Who has experience on this front? What would you like to share? Comments on the above?
-Ryan This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received this message in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Unauthorized interception of this e-mail is a violation of federal criminal law. We reserve the right, when permitted by law, to scan electronic communications, including e-mail and instant messaging, for the purposes of security and compliance with our internal policy. _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
That is a bunch of Bull !, and fear mongering....
ARIN is an organization that manages assignment... they are not a Traffic COP nor are they responsible for checking packet content !
You?re entitled to your own opinion. I have my own very practical and day to day experience in networking [since 1988], routing and security as well as contacts in industry ever since. Also I still have very fresh memories from previous ?deregulation? when [the only, back then] domain registrar - Internic had been removed from the power and ICANN formed (1998). But that was related to only the domain name space. Now the integrity and reachability (neutrality?) of the whole Internet is at stake. I?m not saying ARIN (or RIPE, LACNIC, etc.) is ideal, but the collective expertise of people involved there (because those people actually work or worked for technical, routing, infrastructure, etc. departments of backbone Internet providers and largest as well as all possible ranges telecom providers) combined with regular gathering of engineers and network administrators who exchange their experience provides as a good environment to collect, analyze and further systematise network matters. -- Regards, G.B.
On Mar 20, 2016, at 12:35 PM, Faisal Imtiaz <faisal at snappytelecom.net> wrote:
I don?t know of _who_ else may have more expertise in developing and deploying attack mitigation solutions than ARIN.
Get real, just because they assign IP's and ASN's does not mean that they have dpi expertise.... !
IMHO - it?s going worsen soon because of another vicious cycle of ?deregulations? and passing on more control over the Internet to 3rd (foreign) parties.
That is a bunch of Bull !, and fear mongering....
ARIN is an organization that manages assignment... they are not a Traffic COP nor are they responsible for checking packet content !
Faisal Imtiaz Snappy Internet & Telecom From: "GregoryB" <gb20090101 at gmail.com> To: "voiceops at voiceops.org" <voiceops at voiceops.org> Sent: Saturday, March 19, 2016 1:28:01 PM Subject: Re: [VoiceOps] . DDOS Attacks and ITSP's Just in case anyone may have any doubts? ARIN is again under the attack (2nd time this month). I don?t know of _who_ else may have more expertise in developing and deploying attack mitigation solutions than ARIN. IMHO - it?s going worsen soon because of another vicious cycle of ?deregulations? and passing on more control over the Internet to 3rd (foreign) parties. == Date: Fri, 18 Mar 2016 15:37:48 -0400 From: ARIN <info at arin.net <mailto:info at arin.net>> To: arin-announce at arin.net <mailto:arin-announce at arin.net> Subject: [arin-announce] ARIN DDoS Attack Message-ID: <56EC590C.1030902 at arin.net <mailto:56EC590C.1030902 at arin.net>> Content-Type: text/plain; charset=utf-8; format=flowed
Starting at 1:25 PM EDT on Friday, 18 March, a DDoS attack began against ARIN. This was and continues to be a sustained attack against our provisioning services, email, and website. We initiated our DDoS mitigation plan and are in the process of mitigating various types of attack traffic patterns. All our other public-facing services (Whois, Whois-RWS, RDAP, DNS, IRR, and RPKI repository services) are not affected by this attack and are operating normally.
We will announce an all clear 24 hours after the attacks have stopped.
Regards,
Mark Kosters Chief Technology Officer American Registry for Internet Numbers (ARIN) ==
I have reasons of not wanting to provide my address nor name. ==
On Mar 19, 2016, at 12:42 PM, Tim Linn <timothyl at voipinnovations.com <mailto:timothyl at voipinnovations.com>> wrote: Ryan,
This is a great discussion to start. I can't contribute at this time, but I certainly plan on giving you guys all of the information about what we at VI have been doing, what has worked, what hasn't worked, what we saw, what we didn't see, etc. Certain contacts may not allow me to name company names, but I still think we can give out enough information to be useful.
We definitely plan on giving this information out. Like you said, events like these are typically embarrassing and companies don't like to come out and describe exactly how negligent or naive they were to allow it.
I feel that getting the knowledge out there is much more important than our pride though. Right now, we're not giving out a whole lot of information on what we are doing in fear that it will be "used against us." I do somewhat agree with your assessment about these people knowing this stuff already, but at this point we don't want to take the chance (as irrational as that seems).
Once we're in a more stable place, I will certainly work with our Networking Engineer, Owner, and Operations Manager on trying to talk them into giving out the most information possible to arm you guys in the event that this occurs to any of you.
In the meantime, if you have any questions, please feel free to email me. I will do my best to help as much as I can.
Timothy Linn Lead Systems Engineer Voip Innovations
Sent from my Verizon Wireless 4G LTE smartphone
-------- Original message -------- From: voiceops-request at voiceops.org <mailto:voiceops-request at voiceops.org> Date: 2016/03/19 12:00 (GMT-05:00) To: voiceops at voiceops.org <mailto:voiceops at voiceops.org> Subject: VoiceOps Digest, Vol 81, Issue 38
----------------------------------------------------------------------
Message: 1 Date: Fri, 18 Mar 2016 17:07:56 -0700 From: Ryan Delgrosso <ryandelgrosso at gmail.com <mailto:ryandelgrosso at gmail.com>> To: "voiceops at voiceops.org <mailto:voiceops at voiceops.org>" <voiceops at voiceops.org <mailto:voiceops at voiceops.org>> Subject: [VoiceOps] DDOS Attacks and ITSP's Message-ID: <56EC985C.6050203 at gmail.com <mailto:56EC985C.6050203 at gmail.com>> Content-Type: text/plain; charset="utf-8"; Format="flowed"
With the current mega-thread about VI I figured I would get an educational discussion going about DDOS. Search the archives, Ive probably started this discussion a few times in the past but each time the context is different.
I have given talks at several different venues (anyone here a CFCA member, or been to a Metaswitch forum event?) about DDOS and what the current arsenal of internet attacks means to voice. Unfortunately many network operators treat DDOS like a shameful thing and don't share information about it. This makes it that much harder for network operators to do the right thing and take meaningful and decisive action and ultimately makes the jobs of the attackers that much easier.
Keep in mind sharing these kinds of tactics isn't "helping the attackers". They know this stuff. Its OK to tell them what they know. Who doesn't know this stuff are other operators that haven't been hit yet.
Have you been hit by DDOS? Have you built out solutions to cope with DDOS?
Ill start things off:
1. How do you know its a DDOS and something isn't just broken? 1. netflow 2. SBC retransmissions (this will often be your first warning) 3. Significant deviation from normal traffic volumes 2. As a VoIP carrier, my network looks like a DDOS attack all the time (oodles of UDP traffic). this makes most commercial solutions a square peg / round hole problem. 3. DDOS survivability must be designed into the network not bolted on. 1. Place Access SBC's, Peering SBC's, Webservers, etc on different networks and on different BGP adertisements. 2. Have multiple access SBC's on different networks / routers / BGP advertisements 3. Use DNS to home ALL clients. When your Access SBC succumbs to a reflection attack you can flip your customers using SRV records to the surviving SBC's. Customers using straight IP will remain down. 4. Use CDN networks like Cloudflare / Cloudfront or just put webservers in EC2. Keep web away from voice. Webservers are attack magnets. 5. Build defense in depth. Your network is a medieval castle, have moats and walls and soldiers. 4. Be a good netizen. If you are an ISP, implement BCP38. No open DNS recursors, no open NTP or SNMP services that are reflection targets. Leave no loaded weapons for others in your network. 5. Traffic scrubbing services typically don't mix well with VoIP carriers. This is basically the TSA of the network. (there are exceptions, the price tags have commas). 6. How do you go about testing your protections? Don't just sit smugly in your house made of straw. 7. Most upstream carrier DDOS protection strategies include "blackhole the destination to protect the network". This saves them but accomplishes your attackers goal. 8. Do you know how big of a DDOS it actually takes to hurt you? Ill bet its less than you think.
So lets hear it. Who has experience on this front? What would you like to share? Comments on the above?
-Ryan This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received this message in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Unauthorized interception of this e-mail is a violation of federal criminal law. We reserve the right, when permitted by law, to scan electronic communications, including e-mail and instant messaging, for the purposes of security and compliance with our internal policy. _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Yes, everyone is entitled to their opinion... yours seem to be stuck in 1988... as we say, that was then and this is now...(BTW, I too have been involved in the industry for over 30+ years). The internet is no-longer an 'American thing', it began to become global ever since it transitioned from the University Networks into a Public Network.... You seem to be confusing ARIN, ICANN etc with NANOG.... and imply as if the shift of network standards control to an International Body vs an American Body is responsible for malicious traffic ... So if I apply your logic, then ... President Eisenhower who commissioned the National Highway infrastructure, is also responsible for the crime that happens involving anyone using a a getaway car as well as all the people who get killed on the road.... After all, all the smart folks who were responsible for the design and implementation of the National Highway system were also the experts in the Automotive industry at that time ? Get over it, you can stop wearing a tin hat, and get a global perspective on things... Faisal Imtiaz Snappy Internet & Telecom
From: "GregoryB" <gb20090101 at gmail.com> To: "Faisal Imtiaz" <faisal at snappytelecom.net> Cc: "voiceops at voiceops.org" <voiceops at voiceops.org> Sent: Sunday, March 20, 2016 1:56:45 PM Subject: Re: [VoiceOps] . DDOS Attacks and ITSP's
That is a bunch of Bull !, and fear mongering....
ARIN is an organization that manages assignment... they are not a Traffic COP nor are they responsible for checking packet content !
You?re entitled to your own opinion.
I have my own very practical and day to day experience in networking [since 1988], routing and security as well as contacts in industry ever since.
Also I still have very fresh memories from previous ?deregulation? when [the only, back then] domain registrar - Internic had been removed from the power and ICANN formed (1998). But that was related to only the domain name space. Now the integrity and reachability (neutrality?) of the whole Internet is at stake. I?m not saying ARIN (or RIPE, LACNIC, etc.) is ideal, but the collective expertise of people involved there (because those people actually work or worked for technical, routing, infrastructure, etc. departments of backbone Internet providers and largest as well as all possible ranges telecom providers) combined with regular gathering of engineers and network administrators who exchange their experience provides as a good environment to collect, analyze and further systematise network matters. -- Regards, G.B.
On Mar 20, 2016, at 12:35 PM, Faisal Imtiaz < faisal at snappytelecom.net > wrote:
I don?t know of _who_ else may have more expertise in developing and deploying attack mitigation solutions than ARIN.
Get real, just because they assign IP's and ASN's does not mean that they have dpi expertise.... !
IMHO - it?s going worsen soon because of another vicious cycle of ?deregulations? and passing on more control over the Internet to 3rd (foreign) parties.
That is a bunch of Bull !, and fear mongering....
ARIN is an organization that manages assignment... they are not a Traffic COP nor are they responsible for checking packet content !
Faisal Imtiaz Snappy Internet & Telecom
From: "GregoryB" < gb20090101 at gmail.com > To: " voiceops at voiceops.org " < voiceops at voiceops.org > Sent: Saturday, March 19, 2016 1:28:01 PM Subject: Re: [VoiceOps] . DDOS Attacks and ITSP's
Just in case anyone may have any doubts? ARIN is again under the attack (2nd time this month). I don?t know of _who_ else may have more expertise in developing and deploying attack mitigation solutions than ARIN. IMHO - it?s going worsen soon because of another vicious cycle of ?deregulations? and passing on more control over the Internet to 3rd (foreign) parties. == Date: Fri, 18 Mar 2016 15:37:48 -0400 From: ARIN < info at arin.net > To: arin-announce at arin.net Subject: [arin-announce] ARIN DDoS Attack Message-ID: < 56EC590C.1030902 at arin.net > Content-Type: text/plain; charset=utf-8; format=flowed
Starting at 1:25 PM EDT on Friday, 18 March, a DDoS attack began against ARIN. This was and continues to be a sustained attack against our provisioning services, email, and website. We initiated our DDoS mitigation plan and are in the process of mitigating various types of attack traffic patterns. All our other public-facing services (Whois, Whois-RWS, RDAP, DNS, IRR, and RPKI repository services) are not affected by this attack and are operating normally.
We will announce an all clear 24 hours after the attacks have stopped.
Regards,
Mark Kosters Chief Technology Officer American Registry for Internet Numbers (ARIN) ==
I have reasons of not wanting to provide my address nor name. ==
On Mar 19, 2016, at 12:42 PM, Tim Linn < timothyl at voipinnovations.com > wrote: Ryan,
This is a great discussion to start. I can't contribute at this time, but I certainly plan on giving you guys all of the information about what we at VI have been doing, what has worked, what hasn't worked, what we saw, what we didn't see, etc. Certain contacts may not allow me to name company names, but I still think we can give out enough information to be useful.
We definitely plan on giving this information out. Like you said, events like these are typically embarrassing and companies don't like to come out and describe exactly how negligent or naive they were to allow it.
I feel that getting the knowledge out there is much more important than our pride though. Right now, we're not giving out a whole lot of information on what we are doing in fear that it will be "used against us." I do somewhat agree with your assessment about these people knowing this stuff already, but at this point we don't want to take the chance (as irrational as that seems).
Once we're in a more stable place, I will certainly work with our Networking Engineer, Owner, and Operations Manager on trying to talk them into giving out the most information possible to arm you guys in the event that this occurs to any of you.
In the meantime, if you have any questions, please feel free to email me. I will do my best to help as much as I can.
Timothy Linn Lead Systems Engineer Voip Innovations
Sent from my Verizon Wireless 4G LTE smartphone
-------- Original message -------- From: voiceops-request at voiceops.org Date: 2016/03/19 12:00 (GMT-05:00) To: voiceops at voiceops.org Subject: VoiceOps Digest, Vol 81, Issue 38
----------------------------------------------------------------------
Message: 1 Date: Fri, 18 Mar 2016 17:07:56 -0700 From: Ryan Delgrosso < ryandelgrosso at gmail.com > To: " voiceops at voiceops.org " < voiceops at voiceops.org > Subject: [VoiceOps] DDOS Attacks and ITSP's Message-ID: < 56EC985C.6050203 at gmail.com > Content-Type: text/plain; charset="utf-8"; Format="flowed"
With the current mega-thread about VI I figured I would get an educational discussion going about DDOS. Search the archives, Ive probably started this discussion a few times in the past but each time the context is different.
I have given talks at several different venues (anyone here a CFCA member, or been to a Metaswitch forum event?) about DDOS and what the current arsenal of internet attacks means to voice. Unfortunately many network operators treat DDOS like a shameful thing and don't share information about it. This makes it that much harder for network operators to do the right thing and take meaningful and decisive action and ultimately makes the jobs of the attackers that much easier.
Keep in mind sharing these kinds of tactics isn't "helping the attackers". They know this stuff. Its OK to tell them what they know. Who doesn't know this stuff are other operators that haven't been hit yet.
Have you been hit by DDOS? Have you built out solutions to cope with DDOS?
Ill start things off:
1. How do you know its a DDOS and something isn't just broken? 1. netflow 2. SBC retransmissions (this will often be your first warning) 3. Significant deviation from normal traffic volumes 2. As a VoIP carrier, my network looks like a DDOS attack all the time (oodles of UDP traffic). this makes most commercial solutions a square peg / round hole problem. 3. DDOS survivability must be designed into the network not bolted on. 1. Place Access SBC's, Peering SBC's, Webservers, etc on different networks and on different BGP adertisements. 2. Have multiple access SBC's on different networks / routers / BGP advertisements 3. Use DNS to home ALL clients. When your Access SBC succumbs to a reflection attack you can flip your customers using SRV records to the surviving SBC's. Customers using straight IP will remain down. 4. Use CDN networks like Cloudflare / Cloudfront or just put webservers in EC2. Keep web away from voice. Webservers are attack magnets. 5. Build defense in depth. Your network is a medieval castle, have moats and walls and soldiers. 4. Be a good netizen. If you are an ISP, implement BCP38. No open DNS recursors, no open NTP or SNMP services that are reflection targets. Leave no loaded weapons for others in your network. 5. Traffic scrubbing services typically don't mix well with VoIP carriers. This is basically the TSA of the network. (there are exceptions, the price tags have commas). 6. How do you go about testing your protections? Don't just sit smugly in your house made of straw. 7. Most upstream carrier DDOS protection strategies include "blackhole the destination to protect the network". This saves them but accomplishes your attackers goal. 8. Do you know how big of a DDOS it actually takes to hurt you? Ill bet its less than you think.
So lets hear it. Who has experience on this front? What would you like to share? Comments on the above?
-Ryan This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received this message in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Unauthorized interception of this e-mail is a violation of federal criminal law. We reserve the right, when permitted by law, to scan electronic communications, including e-mail and instant messaging, for the purposes of security and compliance with our internal policy. _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
I like the idea. Perhaps people would be more willing to share their experiences if there were a message board or other place to maintain anonymity? On Mar 19, 2016, at 12:42, Tim Linn <timothyl at voipinnovations.com> wrote: Ryan, This is a great discussion to start. I can't contribute at this time, but I certainly plan on giving you guys all of the information about what we at VI have been doing, what has worked, what hasn't worked, what we saw, what we didn't see, etc. Certain contacts may not allow me to name company names, but I still think we can give out enough information to be useful. We definitely plan on giving this information out. Like you said, events like these are typically embarrassing and companies don't like to come out and describe exactly how negligent or naive they were to allow it. I feel that getting the knowledge out there is much more important than our pride though. Right now, we're not giving out a whole lot of information on what we are doing in fear that it will be "used against us." I do somewhat agree with your assessment about these people knowing this stuff already, but at this point we don't want to take the chance (as irrational as that seems). Once we're in a more stable place, I will certainly work with our Networking Engineer, Owner, and Operations Manager on trying to talk them into giving out the most information possible to arm you guys in the event that this occurs to any of you. In the meantime, if you have any questions, please feel free to email me. I will do my best to help as much as I can. Timothy Linn Lead Systems Engineer Voip Innovations Sent from my Verizon Wireless 4G LTE smartphone -------- Original message -------- From: voiceops-request at voiceops.org Date: 2016/03/19 12:00 (GMT-05:00) To: voiceops at voiceops.org Subject: VoiceOps Digest, Vol 81, Issue 38 ---------------------------------------------------------------------- Message: 1 Date: Fri, 18 Mar 2016 17:07:56 -0700 From: Ryan Delgrosso <ryandelgrosso at gmail.com> To: "voiceops at voiceops.org" <voiceops at voiceops.org> Subject: [VoiceOps] DDOS Attacks and ITSP's Message-ID: <56EC985C.6050203 at gmail.com> Content-Type: text/plain; charset="utf-8"; Format="flowed" With the current mega-thread about VI I figured I would get an educational discussion going about DDOS. Search the archives, Ive probably started this discussion a few times in the past but each time the context is different. I have given talks at several different venues (anyone here a CFCA member, or been to a Metaswitch forum event?) about DDOS and what the current arsenal of internet attacks means to voice. Unfortunately many network operators treat DDOS like a shameful thing and don't share information about it. This makes it that much harder for network operators to do the right thing and take meaningful and decisive action and ultimately makes the jobs of the attackers that much easier. Keep in mind sharing these kinds of tactics isn't "helping the attackers". They know this stuff. Its OK to tell them what they know. Who doesn't know this stuff are other operators that haven't been hit yet. Have you been hit by DDOS? Have you built out solutions to cope with DDOS? Ill start things off: 1. How do you know its a DDOS and something isn't just broken? 1. netflow 2. SBC retransmissions (this will often be your first warning) 3. Significant deviation from normal traffic volumes 2. As a VoIP carrier, my network looks like a DDOS attack all the time (oodles of UDP traffic). this makes most commercial solutions a square peg / round hole problem. 3. DDOS survivability must be designed into the network not bolted on. 1. Place Access SBC's, Peering SBC's, Webservers, etc on different networks and on different BGP adertisements. 2. Have multiple access SBC's on different networks / routers / BGP advertisements 3. Use DNS to home ALL clients. When your Access SBC succumbs to a reflection attack you can flip your customers using SRV records to the surviving SBC's. Customers using straight IP will remain down. 4. Use CDN networks like Cloudflare / Cloudfront or just put webservers in EC2. Keep web away from voice. Webservers are attack magnets. 5. Build defense in depth. Your network is a medieval castle, have moats and walls and soldiers. 4. Be a good netizen. If you are an ISP, implement BCP38. No open DNS recursors, no open NTP or SNMP services that are reflection targets. Leave no loaded weapons for others in your network. 5. Traffic scrubbing services typically don't mix well with VoIP carriers. This is basically the TSA of the network. (there are exceptions, the price tags have commas). 6. How do you go about testing your protections? Don't just sit smugly in your house made of straw. 7. Most upstream carrier DDOS protection strategies include "blackhole the destination to protect the network". This saves them but accomplishes your attackers goal. 8. Do you know how big of a DDOS it actually takes to hurt you? Ill bet its less than you think. So lets hear it. Who has experience on this front? What would you like to share? Comments on the above? -Ryan This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received this message in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Unauthorized interception of this e-mail is a violation of federal criminal law. We reserve the right, when permitted by law, to scan electronic communications, including e-mail and instant messaging, for the purposes of security and compliance with our internal policy. _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Because...signing up for yet another free Gmail account and then subscribing to a mailing list with that is less anonymous, somehow? :) -- Nathan ________________________________________ From: VoiceOps [voiceops-bounces at voiceops.org] On Behalf Of Peter E [peeip989 at gmail.com] Sent: Saturday, March 19, 2016 12:14 PM To: Tim Linn Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] . DDOS Attacks and ITSP's I like the idea. Perhaps people would be more willing to share their experiences if there were a message board or other place to maintain anonymity? On Mar 19, 2016, at 12:42, Tim Linn <timothyl at voipinnovations.com<mailto:timothyl at voipinnovations.com>> wrote: Ryan, This is a great discussion to start. I can't contribute at this time, but I certainly plan on giving you guys all of the information about what we at VI have been doing, what has worked, what hasn't worked, what we saw, what we didn't see, etc. Certain contacts may not allow me to name company names, but I still think we can give out enough information to be useful. We definitely plan on giving this information out. Like you said, events like these are typically embarrassing and companies don't like to come out and describe exactly how negligent or naive they were to allow it. I feel that getting the knowledge out there is much more important than our pride though. Right now, we're not giving out a whole lot of information on what we are doing in fear that it will be "used against us." I do somewhat agree with your assessment about these people knowing this stuff already, but at this point we don't want to take the chance (as irrational as that seems). Once we're in a more stable place, I will certainly work with our Networking Engineer, Owner, and Operations Manager on trying to talk them into giving out the most information possible to arm you guys in the event that this occurs to any of you. In the meantime, if you have any questions, please feel free to email me. I will do my best to help as much as I can. Timothy Linn Lead Systems Engineer Voip Innovations Sent from my Verizon Wireless 4G LTE smartphone -------- Original message -------- From: voiceops-request at voiceops.org<mailto:voiceops-request at voiceops.org> Date: 2016/03/19 12:00 (GMT-05:00) To: voiceops at voiceops.org<mailto:voiceops at voiceops.org> Subject: VoiceOps Digest, Vol 81, Issue 38 ---------------------------------------------------------------------- Message: 1 Date: Fri, 18 Mar 2016 17:07:56 -0700 From: Ryan Delgrosso <ryandelgrosso at gmail.com<mailto:ryandelgrosso at gmail.com>> To: "voiceops at voiceops.org<mailto:voiceops at voiceops.org>" <voiceops at voiceops.org<mailto:voiceops at voiceops.org>> Subject: [VoiceOps] DDOS Attacks and ITSP's Message-ID: <56EC985C.6050203 at gmail.com<mailto:56EC985C.6050203 at gmail.com>> Content-Type: text/plain; charset="utf-8"; Format="flowed" With the current mega-thread about VI I figured I would get an educational discussion going about DDOS. Search the archives, Ive probably started this discussion a few times in the past but each time the context is different. I have given talks at several different venues (anyone here a CFCA member, or been to a Metaswitch forum event?) about DDOS and what the current arsenal of internet attacks means to voice. Unfortunately many network operators treat DDOS like a shameful thing and don't share information about it. This makes it that much harder for network operators to do the right thing and take meaningful and decisive action and ultimately makes the jobs of the attackers that much easier. Keep in mind sharing these kinds of tactics isn't "helping the attackers". They know this stuff. Its OK to tell them what they know. Who doesn't know this stuff are other operators that haven't been hit yet. Have you been hit by DDOS? Have you built out solutions to cope with DDOS? Ill start things off: 1. How do you know its a DDOS and something isn't just broken? 1. netflow 2. SBC retransmissions (this will often be your first warning) 3. Significant deviation from normal traffic volumes 2. As a VoIP carrier, my network looks like a DDOS attack all the time (oodles of UDP traffic). this makes most commercial solutions a square peg / round hole problem. 3. DDOS survivability must be designed into the network not bolted on. 1. Place Access SBC's, Peering SBC's, Webservers, etc on different networks and on different BGP adertisements. 2. Have multiple access SBC's on different networks / routers / BGP advertisements 3. Use DNS to home ALL clients. When your Access SBC succumbs to a reflection attack you can flip your customers using SRV records to the surviving SBC's. Customers using straight IP will remain down. 4. Use CDN networks like Cloudflare / Cloudfront or just put webservers in EC2. Keep web away from voice. Webservers are attack magnets. 5. Build defense in depth. Your network is a medieval castle, have moats and walls and soldiers. 4. Be a good netizen. If you are an ISP, implement BCP38. No open DNS recursors, no open NTP or SNMP services that are reflection targets. Leave no loaded weapons for others in your network. 5. Traffic scrubbing services typically don't mix well with VoIP carriers. This is basically the TSA of the network. (there are exceptions, the price tags have commas). 6. How do you go about testing your protections? Don't just sit smugly in your house made of straw. 7. Most upstream carrier DDOS protection strategies include "blackhole the destination to protect the network". This saves them but accomplishes your attackers goal. 8. Do you know how big of a DDOS it actually takes to hurt you? Ill bet its less than you think. So lets hear it. Who has experience on this front? What would you like to share? Comments on the above? -Ryan This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received this message in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Unauthorized interception of this e-mail is a violation of federal criminal law. We reserve the right, when permitted by law, to scan electronic communications, including e-mail and instant messaging, for the purposes of security and compliance with our internal policy. _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
participants (5)
-
faisal@snappytelecom.net -
gb20090101@gmail.com -
nathana@fsr.com -
peeip989@gmail.com -
timothyl@voipinnovations.com