[VoiceOps] DDOS attacks against ITSPs

PE peeip989 at gmail.com
Mon Oct 15 08:56:35 EDT 2012 

This is an important topic. And whether you know it or not, your network
has, at some time I'm sure, been under fire, whether a DDoS, Registration
flood, or other. A true DDoS is obviously the hardest to deal with, though
the others can also cause harm. In my experience, a Registration flood is
the most common, and the signatures are generally:

1. Scan of your IP's
2. Attempt to register to any that reply to SIP
3. Registrations are usally to 4-digit extensions. I guess the attacker is
hoping to hit a PBX, not necesarily an ITSP
4. User-agent is usually "friendly-scanner"  (i.. SipVicious)
5. Many come from international locations

Acme has some good documentation on the topic as well as best common
practices for configuration. Their ACLs are supposed to offload the
processing from the CPU (where the heavy lifting of SIP B2BUA is done) to
the interface. Of course, no interface can truly stop a flood that fills
the pipe.

So, what to do?

First, check your configs and do the most you can there. Next, if you have
the tools, keep an eye on registrations and overall bandwidth in and out of
your network and to specific interfaces. When you see an odd spike, dig
into it and block the sender, where appropriate. Geographic diversity may
help, but IP diversity might be equally effective, though some gear does
not support this.

I'm curious if anyone has set up a honey-pot to find the bad guys before
they find you and if so, what has the success been. Would the list be
willing to share their blacklists?



On Fri, Oct 12, 2012 at 8:23 PM, Ryan Delgrosso <ryandelgrosso at gmail.com>wrote:

> All,
> I am relatively certain most of you have heard about the issue CallCentric
> had experienced recently where they came under a significant DDOS attack.
> My question to the community at large is, who here has been down this road
> and been attacked; and what was the signature of that attack. I am sure
> your are not alone and we could probably all do fairly well to compare
> notes on the topic.
>
> This year alone we have seen at least 7 different flavors of DDOS attacks
> aimed at our resources some impactful some not, and I would be extremely
> interested in comparing notes with anyone else (especially callcentric
> engineers) who are interested in hoping to share information and perhaps
> prevent the next major incident.
>
> Feel free to respond on or off list as you see fit.
>
> -Ryan
> ______________________________**_________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/**mailman/listinfo/voiceops<https://puck.nether.net/mailman/listinfo/voiceops>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20121015/e3c5104b/attachment.html>

More information about the VoiceOps mailing list