[VoiceOps] VoIP Provider DDoSes

Tim Bray tim at kooky.org
Fri Oct 8 08:22:10 EDT 2021


UDP fragments have been a problem for years.

mitigations historically have been to turn off spare codecs.  On snom 
phones, turn off fancy features.

Tbh, the only really modern mitigation is just to use SIP over TLS and 
taking UDP out of the mix for everything except media.


Tim

On 07/10/2021 23:34, Jared Geiger wrote:
> Cloudflare made another blog post about what kinds of traffic they are 
> seeing. https://blog.cloudflare.com/update-on-voip-attacks/ 
> <https://blog.cloudflare.com/update-on-voip-attacks/>
>
> One problem is if Cloudflare drops UDP fragments, that could cause 
> some calls to fail and others not to. Especially now with SHAKEN/STIR 
> certs in the headers and people putting every codec known to man on 
> the INVITEs. Verizon specifically mentioned UDP fragments in the email 
> notice before they put S/S on TF Inbound. So cloudflare magic transit 
> isn't necessarily the easy button for protecting VoIP traffic but it 
> would definitely help keep a network alive and processing calls during 
> an attack.
>
> On Mon, Oct 4, 2021 at 6:24 AM Mike Hammett <voiceops at ics-il.net 
> <mailto:voiceops at ics-il.net>> wrote:
>
>     For those that don't know what BGPlay is...
>
>
>     https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp
>     <https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp>
>
>
>
>     -----
>     Mike Hammett
>     Intelligent Computing Solutions
>     http://www.ics-il.com <http://www.ics-il.com>
>
>
>
>     Midwest Internet Exchange
>     http://www.midwest-ix.com <http://www.midwest-ix.com>
>
>
>
>     ------------------------------------------------------------------------
>     *From: *"Joseph Jackson" <jjackson at aninetworks.net
>     <mailto:jjackson at aninetworks.net>>
>     *To: *"Mike Hammett" <voiceops at ics-il.net
>     <mailto:voiceops at ics-il.net>>
>     *Cc: *"Tim Bray" <tim at kooky.org <mailto:tim at kooky.org>>,
>     voiceops at voiceops.org <mailto:voiceops at voiceops.org>
>     *Sent: *Saturday, October 2, 2021 11:20:26 AM
>     *Subject: *RE: [VoiceOps] VoIP Provider DDoSes
>
>     Is now.  If you look at their BGP announcements over the last week
>     using something like bgplay you can see them move all their
>     prefixes behind cloudflare.
>
>     *From:*Mike Hammett [mailto:voiceops at ics-il.net
>     <mailto:voiceops at ics-il.net>]
>     *Sent:* Saturday, October 02, 2021 10:30 AM
>     *To:* Joseph Jackson
>     *Cc:* Tim Bray; voiceops at voiceops.org <mailto:voiceops at voiceops.org>
>     *Subject:* Re: [VoiceOps] VoIP Provider DDoSes
>
>     Has been or is now?
>
>
>
>     -----
>     Mike Hammett
>     Intelligent Computing Solutions
>     http://www.ics-il.com <http://www.ics-il.com>
>
>
>
>     Midwest Internet Exchange
>     http://www.midwest-ix.com <http://www.midwest-ix.com>
>
>
>     ------------------------------------------------------------------------
>
>     *From: *"Joseph Jackson" <jjackson at aninetworks.net
>     <mailto:jjackson at aninetworks.net>>
>     *To: *"Tim Bray" <tim at kooky.org <mailto:tim at kooky.org>>,
>     voiceops at voiceops.org <mailto:voiceops at voiceops.org>
>     *Sent: *Saturday, October 2, 2021 9:43:23 AM
>     *Subject: *Re: [VoiceOps] VoIP Provider DDoSes
>
>     Bandwidth.com is using cloudflares magic transit for DDOS
>     protection.  Seems to be working ok.  CF says it doesn’t matter
>     the protocol they can scrub the traffic.
>
>     *From:*VoiceOps [mailto:voiceops-bounces at voiceops.org
>     <mailto:voiceops-bounces at voiceops.org>] *On Behalf Of *Tim Bray
>     via VoiceOps
>     *Sent:* Friday, October 01, 2021 9:34 AM
>     *To:* voiceops at voiceops.org <mailto:voiceops at voiceops.org>
>     *Subject:* Re: [VoiceOps] VoIP Provider DDoSes
>
>     On 26/09/2021 21:54, Mike Hammett wrote:
>
>         Are your garden variety DDoS mitigation platforms or services
>         equipped to handle DDoSes of VoIP services? What nuances does
>         one have to be cognizant of? A WAF doesn't mean much to SIP,
>         IAX2, RTP, etc.
>
>     Without saying too much:
>
>     Seems to be a spate of DDOS against UK based voip providers at the
>     moment.   For ransom.  Don't pay.
>
>     One provider said that traditional approaches did not work. They
>     tried Voxility but just got false positives.    There are
>     providers that do work.
>
>     But in the UK a lot of traffic goes over peers through internet
>     exchanges.  So just swapping transit only half the problem.
>
>
>     Prep wise:
>
>     So practice altering your IP advertisements, dropping and bringing
>     up peers.  If you connect to route servers, practice doing
>     selective announcements.  Try to get private interconnects to your
>     upstream telco providers.    Get your network teams warmed up for
>     when it does happen.    If you host with a cloud provider, have a
>     backup because if DDOS is coming from the same cloud .....
>
>     Tim
>
>
>     _______________________________________________
>     VoiceOps mailing list
>     VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>
>     https://puck.nether.net/mailman/listinfo/voiceops
>     <https://puck.nether.net/mailman/listinfo/voiceops>
>
>
>     _______________________________________________
>     VoiceOps mailing list
>     VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>
>     https://puck.nether.net/mailman/listinfo/voiceops
>     <https://puck.nether.net/mailman/listinfo/voiceops>
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20211008/ad46c903/attachment-0001.htm>


More information about the VoiceOps mailing list