[VoiceOps] DDOS Attacks and ITSP's

Ryan Delgrosso ryandelgrosso at gmail.com
Fri Mar 18 20:07:56 EDT 2016 

With the current mega-thread about VI I figured I would get an 
educational discussion going about DDOS. Search the archives, Ive 
probably started this discussion a few times in the past but each time 
the context is different.

I have given talks at several different venues (anyone here a CFCA 
member, or been to a Metaswitch forum event?) about DDOS and what the 
current arsenal of internet attacks means to voice. Unfortunately many 
network operators treat DDOS like a shameful thing and don't share 
information about it. This makes it that much harder for network 
operators to do the right thing and take meaningful and decisive action 
and ultimately makes the jobs of the attackers that much easier.

Keep in mind sharing these kinds of tactics isn't "helping the 
attackers". They know this stuff. Its OK to tell them what they know. 
Who doesn't know this stuff are other operators that haven't been hit yet.

Have you been hit by DDOS? Have you built out solutions to cope with DDOS?

Ill start things off:

 1. How do you know its a DDOS and something isn't just broken?
     1. netflow
     2. SBC retransmissions (this will often be your first warning)
     3. Significant deviation from normal traffic volumes
 2. As a VoIP carrier, my network looks like a DDOS attack all the time
    (oodles of UDP traffic). this makes most commercial solutions a
    square peg / round hole problem.
 3. DDOS survivability must be designed into the network not bolted on.
     1. Place Access SBC's, Peering SBC's, Webservers, etc on different
        networks and on different BGP adertisements.
     2. Have multiple access SBC's on different networks / routers / BGP
        advertisements
     3. Use DNS to home ALL clients. When your Access SBC succumbs to a
        reflection attack you can flip your customers using SRV records
        to the surviving SBC's. Customers using straight IP will remain
        down.
     4. Use CDN networks like Cloudflare / Cloudfront or just put
        webservers in EC2. Keep web away from voice. Webservers are
        attack magnets.
     5. Build defense in depth. Your network is a medieval castle, have
        moats and walls and soldiers.
 4. Be a good netizen. If you are an ISP, implement BCP38. No open DNS
    recursors, no open NTP or SNMP services that are reflection targets.
    Leave no loaded weapons for others in your network.
 5. Traffic scrubbing services typically don't mix well with VoIP
    carriers. This is basically the TSA of the network. (there are
    exceptions, the price tags have commas).
 6. How do you go about testing your protections? Don't just sit smugly
    in your house made of straw.
 7. Most upstream carrier DDOS protection strategies include "blackhole
    the destination to protect the network". This saves them but
    accomplishes your attackers goal.
 8. Do you know how big of a DDOS it actually takes to hurt you? Ill bet
    its less than you think.


So lets hear it. Who has experience on this front? What would you like 
to share? Comments on the above?

-Ryan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20160318/d74513e6/attachment.html>

More information about the VoiceOps mailing list