<html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1255"><meta name="Generator" content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang="EN-CA" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoNormal"><a name="_MailEndCompose"><span style="mso-fareast-language:EN-US"> </span></a></p><p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="mso-fareast-language:EN-US">I think putting this </span></span><span style="mso-bookmark:_MailEndCompose"><span style="font-family:Wingdings">à</span></span><span style="mso-bookmark:_MailEndCompose"><span style="mso-fareast-language:EN-US"> “</span>block the offending traffic pattern” into practice is the crux of the issue. Maybe I am short-sighted or don’t give AI sufficient credit, but I think identifying the offending traffic pattern is not going to be easy (or maybe possible at all). </span></p><p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"> </span></p><p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose">Anyone initiating a TDOS attack can manipulate the call pattern and caller ID easy enough to make it look like ‘normal’ traffic. </span></p><p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"> </span></p><p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose">I do hope I am wrong, but… </span><span style="mso-bookmark:_MailEndCompose"><span style="mso-fareast-language:EN-US"></span></span></p><p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="mso-fareast-language:EN-US"> </span></span></p><p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#1f497d">Best Regards,</span></span></p><p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#1f497d"> </span></span></p><p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#1f497d">Ivan Kovacevic</span></span></p><p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span lang="EN-US" style="color:#1f497d">Vice President, Client Services</span></span></p><p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:#1f497d">Star Telecom | </span></span><a href="http://t.sidekickopen61.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg1qMvVnW3LjyBM63K6FlW63JXmj56dLPjf6TyZWx02?t=http%3A%2F%2Fwww.startelecom.ca%2F&si=6470560385859584&pi=c347a136-9122-44d9-b157-dd8bfc614cc9"><span style="mso-bookmark:_MailEndCompose">www.startelecom.ca</span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"><span style="color:#1f497d"> | SIP Based Services for Contact Centers | </span></span><a href="http://t.sidekickopen61.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg1qMvVnW3LjyBM63K6FlW63JXmj56dLPjf6TyZWx02?t=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fstar-telecom-www-startelecom-ca-%3Ftrk%3Dbiz-companies-cym&si=6470560385859584&pi=c347a136-9122-44d9-b157-dd8bfc614cc9"><span style="mso-bookmark:_MailEndCompose">LinkedIn</span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"></span></p><p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="mso-fareast-language:EN-US"> </span></span></p><span style="mso-bookmark:_MailEndCompose"></span><p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> VoiceOps [mailto:<a href="mailto:voiceops-bounces@voiceops.org">voiceops-bounces@voiceops.org</a>] <b>On Behalf Of </b>Carlos Perez<br><b>Sent:</b> May 15, 2017 12:57 PM<br><b>To:</b> Victor Chukalovskiy <<a href="mailto:victor.chukalovskiy@gmail.com">victor.chukalovskiy@gmail.com</a>><br><b>Cc:</b> <a href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a><br><b>Subject:</b> Re: [VoiceOps] Mitigating or stopping TDOS attacks - any advice?</span></p><p class="MsoNormal"> </p><div><p class="MsoNormal">(with the context being unwanted calls) An alternative that should be considered since it will add the intelligence to identify abnormal patterns and not complicating your signaling path (introducing an additional possible point of failure and or post dial delay) is using a machine data analyzer solution such as Splunk or ELK. </p><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">This approach is based on near-realtime processing of CDRs therefore it can manage one or many brands. It is highly scalable (since the data processing is done off-board) and highly customizable to tailor any needs. The idea is that upon detecting an abnormal pattern the data analyzer interacts with the switch in the form of a hook/API instruction to have the logic on the switch to block the offending traffic pattern (instead of throttling or blocking an entire source IP or trunk which may not be wanted in this case as it will block wanted traffic).</p></div><div><p class="MsoNormal"> </p></div><div><div><div><div><div><div><div><div><div><p class="MsoNormal">Carlos Perez</p></div><div><p class="MsoNormal">Sansay, Inc.</p></div></div><div><p class="MsoNormal"> </p></div></div></div></div></div></div></div><div><p class="MsoNormal">On Mon, May 15, 2017 at 8:05 AM, Victor Chukalovskiy <<a href="mailto:victor.chukalovskiy@gmail.com" target="_blank">victor.chukalovskiy@gmail.com</a>> wrote:</p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt"><div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d">Hi,</span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d"> </span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d">You are talking PSTN --> customer call flow scenario in CLEC setting. Usually a class 4/5 switch is set to "transparently" pass all incoming calls from PSTN side to whatever customers trunk or line the DID or range is pointed to. And then either that resource gets full due to call volume or your switch starts failing or lagging due to CPS.</span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d"> </span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d">You have two options however:</span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d"> </span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d">If you were to pass all your traffic through a SIP proxy, like Kamallio or OpenSIPS like Alex suggested, that proxy can be programmed to do any kind of fancy call admissions control, dynamic filtering, number pattern etc. This however means you put an extra box in the call path between your PSTN switch and a customer.</span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d"> </span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d">Alternatively, you may try to see if all your PSTN switches can do some kind of external dip or routing query on incoming calls (radius, SIP refer etc). If they can, you can set a server or a cluster that would answer all those dips and decide on per-call basis wether the call should be admitted or not. So think external "brain" for your switches. This way call admission controll decision is made externally, but enforced right at your PSTN switch, and you don't have extra box in the call path. Making it somewhat more elegant.</span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d"> </span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d">This is pretty high-level, but if I understood your topology right, these are basically your two options.</span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d"> </span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d">-Victor</span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d"> </span></p></div><div><p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#1f497d">Sent from my BlackBerry 10 smartphone.</span></p></div><table class="MsoNormalTable" border="0" cellspacing="4" cellpadding="0" width="100%" style="width:100.0%;background:white"><tr><td style="padding:.75pt .75pt .75pt .75pt;font-size:initial;text-align:initial"><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From: </span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">Matthew Yaklin</span></p></div><div><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">Sent: </span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">Monday, May 15, 2017 10:44</span></p></div><div><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">To: </span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><a href="mailto:voiceops@voiceops.org" target="_blank">voiceops@voiceops.org</a></span></p></div><div><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">Subject: </span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">[VoiceOps] Mitigating or stopping TDOS attacks - any advice?</span></p></div></div></td></tr></table><div><div><p class="MsoNormal" style="background:white"><span lang="EN-US"> </span></p><div id="m_8047315901664844455m_5445466205333083445gmail-m_-8475875738604473019_originalContent"><div id="m_8047315901664844455m_5445466205333083445gmail-m_-8475875738604473019divtagdefaultwrapper"><p style="background:white"><span lang="EN-US" style="color:black">Hello all,</span></p><p style="background:white"><span lang="EN-US" style="color:black"> </span></p><p style="background:white"><span lang="EN-US" style="color:black">I am curious what others have in place or actions they take when a customer is the target of a TDOS attack?</span></p><p style="background:white"><span lang="EN-US" style="color:black">TDOS being Telephony Denial of Service. An attack where the perp uses whatever means to flood a customer's telephone service with unwanted calls. </span></p><p style="background:white"><span lang="EN-US" style="color:black"> </span></p><p style="background:white"><span lang="EN-US" style="color:black">Say you are a multi state CLEC. You have multiple brands of switches (Meta, Taqua, DMS, Genband, etc...) as well as ACME and Perimeta SBCs in use. You have legacy TDM as well as SIP trunks. Your customers are served via legacy and modern methods. You have hosted PBX as well (Broadsoft). Many customers are on your LAN but many are on the internet. So that is our situation. Or you can be bigger or smaller. No matter the size I would welcome how you handle it.</span></p><p style="background:white"><span lang="EN-US" style="color:black"> </span></p><p style="background:white"><span lang="EN-US" style="color:black">We have asked our manufacturers for advice but they have only provided the basic number blocking available by default on the switch. Meta and Genband have provided little other than pointing to existing features. If you have any thoughts on whether there is something we can provide based upon SIP messaging or other creative solutions that would be awesome!</span></p><p style="background:white"><span lang="EN-US" style="color:black"> </span></p><p style="background:white"><span lang="EN-US" style="color:black">So I welcome a discussion on this and any advice other operators can give.</span></p><p style="background:white"><span lang="EN-US" style="color:black"> </span></p><p style="background:white"><span lang="EN-US" style="color:black">Thank you very much,</span></p><p style="background:white"><span lang="EN-US" style="color:black"> </span></p><p style="background:white"><span lang="EN-US" style="color:black">Matt</span></p><p style="background:white"><span lang="EN-US" style="color:black"> </span></p><p style="background:white"><span lang="EN-US" style="color:black"> </span></p></div><p class="MsoNormal" style="background:white"><span lang="EN-US"> </span></p></div></div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_______________________________________________<br>VoiceOps mailing list<br><a href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br><a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a></p></blockquote></div><p class="MsoNormal"> </p></div></div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><img border="0" width="1" height="1" style="width:.0104in;height:.0104in" id="_x0000_i1025" src="http://t.sidekickopen61.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v4LCS0Vf6xNj7dSCJWW64Jplz1pctGFW55kbNc1k1H6H0?si=6470560385859584&pi=c347a136-9122-44d9-b157-dd8bfc614cc9" alt="http://t.sidekickopen61.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v4LCS0Vf6xNj7dSCJWW64Jplz1pctGFW55kbNc1k1H6H0?si=6470560385859584&pi=c347a136-9122-44d9-b157-dd8bfc614cc9"></span><span style="font-size:12.0pt;font-family:"Times New Roman",serif"></span></p></div></body></html>