[VoiceOps] VoIP Provider DDoSes

Jared Geiger jared at compuwizz.net
Thu Oct 7 18:34:11 EDT 2021 

Cloudflare made another blog post about what kinds of traffic they are
seeing. https://blog.cloudflare.com/update-on-voip-attacks/

One problem is if Cloudflare drops UDP fragments, that could cause some
calls to fail and others not to. Especially now with SHAKEN/STIR certs in
the headers and people putting every codec known to man on the INVITEs.
Verizon specifically mentioned UDP fragments in the email notice before
they put S/S on TF Inbound. So cloudflare magic transit isn't necessarily
the easy button for protecting VoIP traffic but it would definitely help
keep a network alive and processing calls during an attack.

On Mon, Oct 4, 2021 at 6:24 AM Mike Hammett <voiceops at ics-il.net> wrote:

> For those that don't know what BGPlay is...
>
>
>
> https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>
>
> ------------------------------
> *From: *"Joseph Jackson" <jjackson at aninetworks.net>
> *To: *"Mike Hammett" <voiceops at ics-il.net>
> *Cc: *"Tim Bray" <tim at kooky.org>, voiceops at voiceops.org
> *Sent: *Saturday, October 2, 2021 11:20:26 AM
> *Subject: *RE: [VoiceOps] VoIP Provider DDoSes
>
> Is now.  If you look at their BGP announcements over the last week using
> something like bgplay you can see them move all their prefixes behind
> cloudflare.
>
>
>
>
>
>
>
> *From:* Mike Hammett [mailto:voiceops at ics-il.net]
> *Sent:* Saturday, October 02, 2021 10:30 AM
> *To:* Joseph Jackson
> *Cc:* Tim Bray; voiceops at voiceops.org
> *Subject:* Re: [VoiceOps] VoIP Provider DDoSes
>
>
>
> Has been or is now?
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>
>
> ------------------------------
>
> *From: *"Joseph Jackson" <jjackson at aninetworks.net>
> *To: *"Tim Bray" <tim at kooky.org>, voiceops at voiceops.org
> *Sent: *Saturday, October 2, 2021 9:43:23 AM
> *Subject: *Re: [VoiceOps] VoIP Provider DDoSes
>
> Bandwidth.com is using cloudflares magic transit for DDOS protection.
> Seems to be working ok.  CF says it doesn’t matter the protocol they can
> scrub the traffic.
>
>
>
>
>
>
>
> *From:* VoiceOps [mailto:voiceops-bounces at voiceops.org] *On Behalf Of *Tim
> Bray via VoiceOps
> *Sent:* Friday, October 01, 2021 9:34 AM
> *To:* voiceops at voiceops.org
> *Subject:* Re: [VoiceOps] VoIP Provider DDoSes
>
>
>
>
>
> On 26/09/2021 21:54, Mike Hammett wrote:
>
>
>
> Are your garden variety DDoS mitigation platforms or services equipped to
> handle DDoSes of VoIP services? What nuances does one have to be cognizant
> of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.
>
>
>
>
>
> Without saying too much:
>
>
>
> Seems to be a spate of DDOS against UK based voip providers at the
> moment.   For ransom.  Don't pay.
>
>
>
> One provider said that traditional approaches did not work.   They tried
> Voxility but just got false positives.    There are providers that do
> work.
>
>
>
> But in the UK a lot of traffic goes over peers through internet
> exchanges.  So just swapping transit only half the problem.
>
>
> Prep wise:
>
> So practice altering your IP advertisements, dropping and bringing up
> peers.  If you connect to route servers, practice doing selective
> announcements.  Try to get private interconnects to your upstream telco
> providers.    Get your network teams warmed up for when it does happen.
> If you host with a cloud provider, have a backup because if DDOS is coming
> from the same cloud .....
>
>
>
>
>
> Tim
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20211007/ff1b8342/attachment.htm>

More information about the VoiceOps mailing list