[VoiceOps] Bandwidth - Monday Outage

Alex Balashov abalashov at evaristesys.com
Mon Sep 27 17:35:17 EDT 2021 

My experience of this in connection with various customers is that it’s just UDP fragments. Doesn’t appear to let up in response to a lack of stimuli (i.e. blocking ICMP unreachable responses from going back out doesn’t help), and doesn’t seem aimed at SIP / RTP services specifically in any discernible way.

Could be different elsewhere.

— Alex

> On Sep 27, 2021, at 5:21 PM, Ryan Delgrosso <ryandelgrosso at gmail.com> wrote:
> 
> Do we know this is a SIP/RTP targeted volumetric attack and those arent just collateral damage in a more plebian attack aimed ad portals/apis or routers?
> 
> I can understand them being tight lipped but some transparency helps the situation.
> 
> I wonder if DHS is involved yet?
> 
> On 9/27/2021 1:48 PM, Jay Hennigan via VoiceOps wrote:
>> On 9/27/21 13:30, Darren via VoiceOps wrote:
>>> I know it’s hard to be patient but I can’t imagine they’re NOT all hands on deck.
>>> 
>>> The reality is probably that the DDoS attack is now so big, they can’t handle it on their own, so they’re scrambling to contract out with another provider who can handle it. That would explain why the BGP routes they advertise have shifted. These DDoS products typically take weeks to setup, so they’re likely having to scramble. I’ll be surprised if this does NOT continue tomorrow (unfortunately).
>> 
>> From my understanding this is not your typical volumetric DDoS but something specific to SIP or VoIP and thus the typical scrubbing services aren't going to be effective against the voice side of things.
>> 
>> Obviously they are keeping things close to the vest in order not to give too much information to the bad guys but I agree that it may take some time to resolve.
>> 
>>> *From: *VoiceOps <voiceops-bounces at voiceops.org> on behalf of Carlos Alvarez <caalvarez at gmail.com>
>>> *Date: *Monday, September 27, 2021 at 1:23 PM
>> 
>>> Generic SIP client here, and the ongoing "continue to investigate" notices are infuriatingly like "we have no damn clue what we're doing."  Try explaining to customers why it's not "our fault*" and that there's no way to estimate a repair time.
>> 
>> I think the ongoing "continue to investigate" messages are fine. They're obviously dealing with a major incident and trying their best to keep their customers informed. This IMHO beats silence.
>> 
>>> *Our fault for choosing them I guess, but not something we can fix in minutes.
>> 
>> The same thing could and has affected others. Voip.ms has been dealing with a similar attack for at least a week. We've had excellent service from Bandwidth for years and I trust that they will be able to get through this as well as anyone.
>> 
>> It's the nature of the legacy PSTN that redundant providers or fast failover for inbound calling isn't (yet) a thing.
>> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops

-- 
Alex Balashov | Principal | Evariste Systems LLC

Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/

More information about the VoiceOps mailing list