<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>I like the idea. Perhaps people would be more willing to share their experiences if there were a message board or other place to maintain anonymity?</div><div><br>On Mar 19, 2016, at 12:42, Tim Linn <<a href="mailto:timothyl@voipinnovations.com">timothyl@voipinnovations.com</a>> wrote:<br><br></div><div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div>Ryan,</div>
<div><br>
</div>
<div>This is a great discussion to start. I can't contribute at this time, but I certainly plan on giving you guys all of the information about what we at VI have been doing, what has worked, what hasn't worked, what we saw, what we didn't see, etc. Certain
contacts may not allow me to name company names, but I still think we can give out enough information to be useful.</div>
<div><br>
</div>
<div>We definitely plan on giving this information out. Like you said, events like these are typically embarrassing and companies don't like to come out and describe exactly how negligent or naive they were to allow it.</div>
<div><br>
</div>
<div>I feel that getting the knowledge out there is much more important than our pride though. Right now, we're not giving out a whole lot of information on what we are doing in fear that it will be "used against us." I do somewhat agree with your assessment
about these people knowing this stuff already, but at this point we don't want to take the chance (as irrational as that seems).</div>
<div><br>
</div>
<div>Once we're in a more stable place, I will certainly work with our Networking Engineer, Owner, and Operations Manager on trying to talk them into giving out the most information possible to arm you guys in the event that this occurs to any of you.</div>
<div><br>
</div>
<div>In the meantime, if you have any questions, please feel free to email me. I will do my best to help as much as I can.</div>
<div><br>
</div>
<div><br>
</div>
<div>Timothy Linn</div>
<div>Lead Systems Engineer</div>
<div>Voip Innovations</div>
<div><br>
</div>
<div><br>
</div>
<div id="composer_signature">
<div style="font-size:85%;color:#575757">Sent from my Verizon Wireless 4G LTE smartphone</div>
</div>
<br>
<br>
-------- Original message --------<br>
From: <a href="mailto:voiceops-request@voiceops.org">voiceops-request@voiceops.org</a> <br>
Date: 2016/03/19 12:00 (GMT-05:00) <br>
To: <a href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a> <br>
Subject: VoiceOps Digest, Vol 81, Issue 38 <br>
<br>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText"><br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Fri, 18 Mar 2016 17:07:56 -0700<br>
From: Ryan Delgrosso <<a href="mailto:ryandelgrosso@gmail.com">ryandelgrosso@gmail.com</a>><br>
To: "<a href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a>" <<a href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a>><br>
Subject: [VoiceOps] DDOS Attacks and ITSP's<br>
Message-ID: <<a href="mailto:56EC985C.6050203@gmail.com">56EC985C.6050203@gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"; Format="flowed"<br>
<br>
With the current mega-thread about VI I figured I would get an <br>
educational discussion going about DDOS. Search the archives, Ive <br>
probably started this discussion a few times in the past but each time <br>
the context is different.<br>
<br>
I have given talks at several different venues (anyone here a CFCA <br>
member, or been to a Metaswitch forum event?) about DDOS and what the <br>
current arsenal of internet attacks means to voice. Unfortunately many <br>
network operators treat DDOS like a shameful thing and don't share <br>
information about it. This makes it that much harder for network <br>
operators to do the right thing and take meaningful and decisive action <br>
and ultimately makes the jobs of the attackers that much easier.<br>
<br>
Keep in mind sharing these kinds of tactics isn't "helping the <br>
attackers". They know this stuff. Its OK to tell them what they know. <br>
Who doesn't know this stuff are other operators that haven't been hit yet.<br>
<br>
Have you been hit by DDOS? Have you built out solutions to cope with DDOS?<br>
<br>
Ill start things off:<br>
<br>
1. How do you know its a DDOS and something isn't just broken?<br>
1. netflow<br>
2. SBC retransmissions (this will often be your first warning)<br>
3. Significant deviation from normal traffic volumes<br>
2. As a VoIP carrier, my network looks like a DDOS attack all the time<br>
(oodles of UDP traffic). this makes most commercial solutions a<br>
square peg / round hole problem.<br>
3. DDOS survivability must be designed into the network not bolted on.<br>
1. Place Access SBC's, Peering SBC's, Webservers, etc on different<br>
networks and on different BGP adertisements.<br>
2. Have multiple access SBC's on different networks / routers / BGP<br>
advertisements<br>
3. Use DNS to home ALL clients. When your Access SBC succumbs to a<br>
reflection attack you can flip your customers using SRV records<br>
to the surviving SBC's. Customers using straight IP will remain<br>
down.<br>
4. Use CDN networks like Cloudflare / Cloudfront or just put<br>
webservers in EC2. Keep web away from voice. Webservers are<br>
attack magnets.<br>
5. Build defense in depth. Your network is a medieval castle, have<br>
moats and walls and soldiers.<br>
4. Be a good netizen. If you are an ISP, implement BCP38. No open DNS<br>
recursors, no open NTP or SNMP services that are reflection targets.<br>
Leave no loaded weapons for others in your network.<br>
5. Traffic scrubbing services typically don't mix well with VoIP<br>
carriers. This is basically the TSA of the network. (there are<br>
exceptions, the price tags have commas).<br>
6. How do you go about testing your protections? Don't just sit smugly<br>
in your house made of straw.<br>
7. Most upstream carrier DDOS protection strategies include "blackhole<br>
the destination to protect the network". This saves them but<br>
accomplishes your attackers goal.<br>
8. Do you know how big of a DDOS it actually takes to hurt you? Ill bet<br>
its less than you think.<br>
<br>
<br>
So lets hear it. Who has experience on this front? What would you like <br>
to share? Comments on the above?<br>
<br>
-Ryan<br>
</div>
</span></font>This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received this message in error, please notify the sender immediately and delete the original. Any other
use of the e-mail by you is prohibited. Unauthorized interception of this e-mail is a violation of federal criminal law. We reserve the right, when permitted by law, to scan electronic communications, including e-mail and instant messaging, for the purposes
of security and compliance with our internal policy.
</div><div><span>_______________________________________________</span><br><span>VoiceOps mailing list</span><br><span><a href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a></span><br><span><a href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a></span><br></div></body></html>