<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt"><div><span>i was thinking a conf call. Maybe 4-5 participants. Let me know who's interested.</span></div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial"> On Tuesday, August 19, 2014 12:39 AM, Ryan Delgrosso <ryandelgrosso@gmail.com> wrote:<br> </font> </div> <br><br> <div class="y_msg_container"><div id="yiv1219915509"><div>
Discuss away, were all riveted with antici......<br clear="none">
<br clear="none">
:) <br clear="none">
<br clear="none">
<div class="yiv1219915509yqt2640078074" id="yiv1219915509yqtfd21683"><div class="yiv1219915509moz-cite-prefix">On 8/18/2014 7:52 PM, Anthony Orlando
via VoiceOps wrote:<br clear="none">
</div>
<blockquote type="cite">
</blockquote></div></div><div class="yiv1219915509yqt2640078074" id="yiv1219915509yqtfd46210"><div><div>All </div>
<div> I might have a solution that I'd like to talk to the group
about. It can not only detect but could use your switch API to
take action. Who's interested in discussing it!</div>
<div><br clear="none">
<br clear="none">
Sent from my iPhone</div>
<div><br clear="none">
On Aug 18, 2014, at 9:59 PM, Tim Jackson <<a rel="nofollow" shape="rect" ymailto="mailto:jackson.tim@gmail.com" target="_blank" href="mailto:jackson.tim@gmail.com">jackson.tim@gmail.com</a>>
wrote:<br clear="none">
<br clear="none">
</div>
<blockquote type="cite">
<div>
<div dir="ltr">I think Ryan's point here is getting data on
in-progress calls into it instead of completed calls..</div>
<div dir="ltr">AFAIK CPM basically watches the real time call
logs from the CFS, and only knows about calls once they
complete.</div>
<div class="yiv1219915509gmail_quote">On Aug 18, 2014 6:04 PM, "Simon
Dredge" <<a rel="nofollow" shape="rect" ymailto="mailto:Simon.Dredge@metaswitch.com" target="_blank" href="mailto:Simon.Dredge@metaswitch.com">Simon.Dredge@metaswitch.com</a>>
wrote:<br clear="none">
<blockquote class="yiv1219915509gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Heya, Ryan - It's SAS-like - But proactive analysis rather
than reactive analytics. It'll trigger immediately (in
real-time) on an anomaly, informing the operator that
action is required so they can take necessary action.<br clear="none">
<br clear="none">
Cheers,<br clear="none">
<br clear="none">
<br clear="none">
Simon.<br clear="none">
<br clear="none">
-----Original Message-----<br clear="none">
From: Ryan Delgrosso [mailto:<a rel="nofollow" shape="rect" ymailto="mailto:ryandelgrosso@gmail.com" target="_blank" href="mailto:ryandelgrosso@gmail.com">ryandelgrosso@gmail.com</a>]<br clear="none">
Sent: Monday, August 18, 2014 4:32 PM<br clear="none">
To: Simon Dredge<br clear="none">
Cc: <a rel="nofollow" shape="rect" ymailto="mailto:voiceops@voiceops.org" target="_blank" href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a><br clear="none">
Subject: Re: [VoiceOps] Hackers Crash Clay Co. Phones ...<br clear="none">
<br clear="none">
Simon,<br clear="none">
I think the gotcha with CPM in this scenario is its a
great tool for determining "this has happened" but not so
great for building a mitigation solution.<br clear="none">
<br clear="none">
Is CPM driven off of CDR's or off of the SAS datastream or
some other source?<br clear="none">
<br clear="none">
If its CDR driven you will be blind to this problem
because you wont be measuring calls that are rejected due
to lack of capacity(no cdr cut).<br clear="none">
If its driven off of SAS data you will get the
missed/incomplete call stats but at the cost of speed
(multiple orders of magnitude more data than CDR's)<br clear="none">
<br clear="none">
It would be interesting to hear if this perhaps uses a
different datasource. Perhaps there is a facility in
perimeta that informs this better than CFS data sources.<br clear="none">
<br clear="none">
-Ryan<br clear="none">
<br clear="none">
On 8/18/2014 3:36 PM, Simon Dredge wrote:<br clear="none">
> I know many meta-users like the new-ish call pattern
monitor. It uses weighted profiling benchmarking algos
similar to NBAD:<br clear="none">
><br clear="none">
> <a rel="nofollow" shape="rect" target="_blank" href="http://www.metaswitch.com/sites/default/files/Metaswitch-Call-Pattern-">http://www.metaswitch.com/sites/default/files/Metaswitch-Call-Pattern-</a><br clear="none">
> Monitor.pdf<br clear="none">
><br clear="none">
> Cheers,<br clear="none">
><br clear="none">
><br clear="none">
> Simon.<br clear="none">
><br clear="none">
><br clear="none">
> -----Original Message-----<br clear="none">
> From: VoiceOps [mailto:<a rel="nofollow" shape="rect" ymailto="mailto:voiceops-bounces@voiceops.org" target="_blank" href="mailto:voiceops-bounces@voiceops.org">voiceops-bounces@voiceops.org</a>]
On Behalf Of<br clear="none">
> Ryan Delgrosso<br clear="none">
> Sent: Monday, August 18, 2014 1:53 PM<br clear="none">
> To: ECG - Mark Lindsey<br clear="none">
> Cc: <a rel="nofollow" shape="rect" ymailto="mailto:voiceops@voiceops.org" target="_blank" href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a><br clear="none">
> Subject: Re: [VoiceOps] Hackers Crash Clay Co. Phones
...<br clear="none">
><br clear="none">
> I dunno that's a slippery slope. Im not a proponent
of putting management of your network services into
someone elses hands, especially things like this where the
service provider should have visibility into what they are
or are not admitting.<br clear="none">
><br clear="none">
> Agreed on your synopsis of call admission control,
the border should be able to make these decisions rapidly,
freeing up softswitch resources to actually serve
customers.<br clear="none">
><br clear="none">
> This sounds like good territory for an acme SPL
plugin, possibly in<br clear="none">
> conjunction with this enum extension<br clear="none">
> <a rel="nofollow" shape="rect" target="_blank" href="http://tools.ietf.org/html/draft-kaplan-enum-source-uri-00">http://tools.ietf.org/html/draft-kaplan-enum-source-uri-00</a>
unfortunately i dont see a clear path for this in the TDM
world but my exposure there is limited. It would seem like
a good solution might be using ENUM (with source URI) to
build statistics centrally based on calling/called numbers
and then forcing the ENUM response once thresholds are hit
to illicit an appropriate decline message for flagged
invites with a retry-after interval allowing you to
effectively throttle specific call scenarios assuming your
origination carriers will behave correctly.<br clear="none">
><br clear="none">
> 2 of the examples we discussed previously were:<br clear="none">
><br clear="none">
> 1: Social media death star. Justin biebers (or anyone
else with millions of rabid followers) twitter account
(53.7M followers) gets hacked and attacker tweets "Call
this number for free tickets" or similar.<br clear="none">
><br clear="none">
> 2: T-DOS using stolen sip accounts effectively
turning other service providers into a death star. More
damage per source number (higher CPS than social media per
attacker but less distributed source). This one seems much
easier to create given the ease with which stolen sip
accounts can be acquired, and harder to mitigate if the
stolen accounts support callerID spoofing.<br clear="none">
><br clear="none">
> Both of these situations are exacerbated by LCR
resellers creating at times 10-20 invites from 1 due to
route advancing when the destination is truly congested,
which gets worse when the LCR resellers in turn have
resellers in route etc etc.<br clear="none">
><br clear="none">
> Of course any solution needs to have provisions for
conveying congestion control to the originating network so
they stop route advancing.<br clear="none">
><br clear="none">
><br clear="none">
> I think this has commercial viability for access
providers protecting<br clear="none">
> their customers business interests and for
implementers designing<br clear="none">
> solutions but perhaps not so much in a carrier to
carrier capacity<br clear="none">
> (beyond appropriate support of signaling congestion
control).<br clear="none">
><br clear="none">
><br clear="none">
> On 8/18/2014 12:48 PM, Mark R Lindsey wrote:<br clear="none">
>> Ryan, does it seem as though TDoS will be most
effectively addressed by the origination companies? i.e.,
the guys with the TDM trunks to the local tandems, such as
incumbents, Verizon, Level(3).<br clear="none">
>><br clear="none">
>> It seems to me that some use of statistics could
probably make reasonable guesses about whether a given
PSTN origination call is likely to be legitimate (for a
call from A to B). For example, I'll bet you could make a
good start looking at numbers and geographic areas:<br clear="none">
>><br clear="none">
>> -- Has telephone number A called to
telephone number B before? Or B->A ?<br clear="none">
>><br clear="none">
>> -- Has GeographicArea(A) called to telephone
number B before? Or GeographicArea(B) -> A?<br clear="none">
>><br clear="none">
>> The more you know about telephone numbers A and
B, the more you could guess about the likelihood that a
given call is legitimate.<br clear="none">
>><br clear="none">
>> And getting good at this should be a competitive
advantage, just as effective anti-spam is an advantage
elsewhere. Vendors that build the edge gear -- in
particular, the SBC and TDM SS7 gateway vendors -- should
be leading the way.<br clear="none">
>><br clear="none">
>> And wholesale carriers could take some advantage
and make it broadly available. For example, let's say
Verizon came along and said, "Here's a reason to port your
numbers from Level(3) to us: When you're under attack,
we're going to be smart about the ways we selectively
admit calls to your network."<br clear="none">
>><br clear="none">
>><br clear="none">
>><br clear="none">
>>>>> <a rel="nofollow" shape="rect" ymailto="mailto:mark@ecg.co" target="_blank" href="mailto:mark@ecg.co">mark@ecg.co</a> <a rel="nofollow" shape="rect" href="">+1-229-316-0013</a> <a rel="nofollow" shape="rect" target="_blank" href="http://ecg.co/lindsey">http://ecg.co/lindsey</a><br clear="none">
>> On Aug 18, 2014, at 13:52 , Ryan Delgrosso <<a rel="nofollow" shape="rect" ymailto="mailto:ryandelgrosso@gmail.com" target="_blank" href="mailto:ryandelgrosso@gmail.com">ryandelgrosso@gmail.com</a>>
wrote:<br clear="none">
>><br clear="none">
>>> IP DDOS and TDOS are really two different
problems but yes we as ITSP's and CLECs living in the IP
space are absolutely susceptible to both.<br clear="none">
>>><br clear="none">
>>> Ive done a fair amount of research into both
of these topics and we have seen varying cases of both,
but usually IP DDOS steals the spotlight because the
numbers are bigger and the effects are usually more
widespread whereas a TDOS attack is rarely felt by anyone
that doesn't live in the affected region or isn't actively
trying to call the victim, and usually telcos keep these
issues pretty close to the chest.<br clear="none">
>>><br clear="none">
>>> I expect this sort of attack is going to
increase in magnitude in the coming 24-36 months as
attackers figure out how to wield it. Mark Collier gave a
very interesting talk at one of the CFCA events on this
topic, though the focus was on the enterprise victim, but
the lessons are really the same. There just arent really
any good tools to mitigate this sort of attack today,
especially at the carrier level.<br clear="none">
>>><br clear="none">
>>> -Ryan<br clear="none">
>>><br clear="none">
>>> On 8/18/2014 6:30 AM, Matt Yaklin wrote:<br clear="none">
>>>> It seems like almost every telephone
company can be hit like that<br clear="none">
>>>> except the ?largest?...<br clear="none">
>>>><br clear="none">
>>>> A denial of service attack by simply
calling so many times it fills<br clear="none">
>>>> up their main trunks.<br clear="none">
>>>><br clear="none">
>>>> And we saw how the large IP colo
providers handle this for<br clear="none">
>>>> customers who get dos'd. The amount of
bandwidth they have is<br clear="none">
>>>> staggering and they still cannot
guarantee you will stay up if a<br clear="none">
>>>> ?skilled? attacker wants you down. So you
keep throwing money at it<br clear="none">
>>>> until you are so well established online
that you look at your<br clear="none">
>>>> monthly bill and want to puke.<br clear="none">
>>>><br clear="none">
>>>> matt<br clear="none">
>>>><br clear="none">
>>>> On Mon, 18 Aug 2014, Frank Bulk wrote:<br clear="none">
>>>><br clear="none">
>>>>> <a rel="nofollow" shape="rect" target="_blank" href="http://www.wibw.com/home/headlines/Hackers-Behind-Phone-Outage-In-">http://www.wibw.com/home/headlines/Hackers-Behind-Phone-Outage-In-</a><br clear="none">
>>>>> Clay-County-271463051.html?ref=051<br clear="none">
>>>>><br clear="none">
>>>>> Painful issue for Big River
Telephone!<br clear="none">
>>>>><br clear="none">
>>>>> Frank<br clear="none">
>>>>><br clear="none">
>>>>><br clear="none">
>>>>><br clear="none">
>>>>
_______________________________________________<br clear="none">
>>>> VoiceOps mailing list<br clear="none">
>>>> <a rel="nofollow" shape="rect" ymailto="mailto:VoiceOps@voiceops.org" target="_blank" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br clear="none">
>>>> <a rel="nofollow" shape="rect" target="_blank" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a><br clear="none">
>>>
_______________________________________________<br clear="none">
>>> VoiceOps mailing list<br clear="none">
>>> <a rel="nofollow" shape="rect" ymailto="mailto:VoiceOps@voiceops.org" target="_blank" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br clear="none">
>>> <a rel="nofollow" shape="rect" target="_blank" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a><br clear="none">
> _______________________________________________<br clear="none">
> VoiceOps mailing list<br clear="none">
> <a rel="nofollow" shape="rect" ymailto="mailto:VoiceOps@voiceops.org" target="_blank" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br clear="none">
> <a rel="nofollow" shape="rect" target="_blank" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a><br clear="none">
<br clear="none">
<br clear="none">
_______________________________________________<br clear="none">
VoiceOps mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:VoiceOps@voiceops.org" target="_blank" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a><br clear="none">
</blockquote>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br clear="none">
<span>VoiceOps mailing list</span><br clear="none">
<span><a rel="nofollow" shape="rect" ymailto="mailto:VoiceOps@voiceops.org" target="_blank" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a></span><br clear="none">
<span><a rel="nofollow" shape="rect" target="_blank" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a></span><br clear="none">
</div>
</blockquote>
<br clear="none">
<fieldset class="yiv1219915509mimeAttachmentHeader"></fieldset>
<br clear="none">
<pre>_______________________________________________
VoiceOps mailing list
<a rel="nofollow" shape="rect" class="yiv1219915509moz-txt-link-abbreviated" ymailto="mailto:VoiceOps@voiceops.org" target="_blank" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a>
<a rel="nofollow" shape="rect" class="yiv1219915509moz-txt-link-freetext" target="_blank" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a>
</pre>
<br clear="none">
</div></div></div><br><div class="yqt2640078074" id="yqtfd17227">_______________________________________________<br clear="none">VoiceOps mailing list<br clear="none"><a shape="rect" ymailto="mailto:VoiceOps@voiceops.org" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br clear="none"><a shape="rect" href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br clear="none"></div><br><br></div> </div> </div> </div> </div></body></html>