[VoiceOps] Mitigating or stopping TDOS attacks - any advice?

Matthew Yaklin myaklin at firstlight.net
Mon May 15 11:03:31 EDT 2017

Do you know off hand what criteria Kamailio commonly uses to dump excessive SIP flows?

Is it based on IP (black/whitelists)? Throttling back INVITES from the same source?

A common method that was in the news was someone posting a malicious link on twitter (for example) that caused cell phones to dial 911. If the twitter feed is read by folks who live in Massachusetts for example the 911 call center could be flooded for a period of time. Just an example.

Is this another case, like DDOS, where we are just screwed for the most part as providers?


From: sasha at evaristesys.com <sasha at evaristesys.com> on behalf of Alex Balashov <abalashov at evaristesys.com>
Sent: Monday, May 15, 2017 10:49:29 AM
To: Matthew Yaklin
Cc: voiceops at voiceops.org
Subject: Re: [VoiceOps] Mitigating or stopping TDOS attacks - any advice?

In the open-source world, this is an application to which Kamailio is
exceptionally well-suited, provided you can devise some means of putting
the customer "behind" it.

The lightweight architecture and enormous message throughput makes it an
exceptionally good fit for lightly stateful tasks like dumping excessive
SIP flows.

On Mon, May 15, 2017 at 02:44:30PM +0000, Matthew Yaklin wrote:

> Hello all,
> I am curious what others have in place or actions they take when a customer is the target of a TDOS attack?
> TDOS being Telephony Denial of Service. An attack where the perp uses whatever means to flood a customer's telephone service with unwanted calls.
> Say you are a multi state CLEC. You have multiple brands of switches (Meta, Taqua, DMS, Genband, etc...) as well as ACME and Perimeta SBCs in use. You have legacy TDM as well as SIP trunks. Your customers are served via legacy and modern methods. You have hosted PBX as well (Broadsoft). Many customers are on your LAN but many are on the internet. So that is our situation. Or you can be bigger or smaller. No matter the size I would welcome how you handle it.
> We have asked our manufacturers for advice but they have only provided the basic number blocking available by default on the switch. Meta and Genband have provided little other than pointing to existing features. If you have any thoughts on whether there is something we can provide based upon SIP messaging or other creative solutions that would be awesome!
> So I welcome a discussion on this and any advice other operators can give.
> Thank you very much,
> Matt

> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops

Alex Balashov | Principal | Evariste Systems LLC

Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20170515/ce338d06/attachment.html>

More information about the VoiceOps mailing list