[VoiceOps] VoIP Provider DDoSes

Mike Hammett voiceops at ics-il.net
Mon Oct 4 09:21:31 EDT 2021 

For those that don't know what BGPlay is... 




https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 



----- Original Message -----

From: "Joseph Jackson" <jjackson at aninetworks.net> 
To: "Mike Hammett" <voiceops at ics-il.net> 
Cc: "Tim Bray" <tim at kooky.org>, voiceops at voiceops.org 
Sent: Saturday, October 2, 2021 11:20:26 AM 
Subject: RE: [VoiceOps] VoIP Provider DDoSes 



Is now. If you look at their BGP announcements over the last week using something like bgplay you can see them move all their prefixes behind cloudflare. 





From: Mike Hammett [mailto:voiceops at ics-il.net] 
Sent: Saturday, October 02, 2021 10:30 AM 
To: Joseph Jackson 
Cc: Tim Bray; voiceops at voiceops.org 
Subject: Re: [VoiceOps] VoIP Provider DDoSes 


Has been or is now? 



----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 




----- Original Message -----


From: "Joseph Jackson" <jjackson at aninetworks.net> 
To: "Tim Bray" <tim at kooky.org>, voiceops at voiceops.org 
Sent: Saturday, October 2, 2021 9:43:23 AM 
Subject: Re: [VoiceOps] VoIP Provider DDoSes 
Bandwidth.com is using cloudflares magic transit for DDOS protection. Seems to be working ok. CF says it doesn’t matter the protocol they can scrub the traffic. 





From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Tim Bray via VoiceOps 
Sent: Friday, October 01, 2021 9:34 AM 
To: voiceops at voiceops.org 
Subject: Re: [VoiceOps] VoIP Provider DDoSes 



On 26/09/2021 21:54, Mike Hammett wrote: 






Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. 




Without saying too much: 

Seems to be a spate of DDOS against UK based voip providers at the moment. For ransom. Don't pay. 

One provider said that traditional approaches did not work. They tried Voxility but just got false positives. There are providers that do work. 

But in the UK a lot of traffic goes over peers through internet exchanges. So just swapping transit only half the problem. 

Prep wise: 
So practice altering your IP advertisements, dropping and bringing up peers. If you connect to route servers, practice doing selective announcements. Try to get private interconnects to your upstream telco providers. Get your network teams warmed up for when it does happen. If you host with a cloud provider, have a backup because if DDOS is coming from the same cloud ..... 


Tim 

_______________________________________________ 
VoiceOps mailing list 
VoiceOps at voiceops.org 
https://puck.nether.net/mailman/listinfo/voiceops 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20211004/1222240a/attachment.htm>

More information about the VoiceOps mailing list