<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#44546A;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#44546A">Bandwidth.com is using cloudflares magic transit for DDOS protection. Seems to be working ok. CF says it doesn’t matter the protocol they can scrub the traffic.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#44546A"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#44546A"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#44546A"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> VoiceOps [mailto:voiceops-bounces@voiceops.org]
<b>On Behalf Of </b>Tim Bray via VoiceOps<br>
<b>Sent:</b> Friday, October 01, 2021 9:34 AM<br>
<b>To:</b> voiceops@voiceops.org<br>
<b>Subject:</b> Re: [VoiceOps] VoIP Provider DDoSes<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 26/09/2021 21:54, Mike Hammett wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't
mean much to SIP, IAX2, RTP, etc.<o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</blockquote>
<p><o:p> </o:p></p>
<p>Without saying too much:<o:p></o:p></p>
<p><o:p> </o:p></p>
<p>Seems to be a spate of DDOS against UK based voip providers at the moment. For ransom. Don't pay.<o:p></o:p></p>
<p><o:p> </o:p></p>
<p>One provider said that traditional approaches did not work. They tried Voxility but just got false positives. There are providers that do work.
<o:p></o:p></p>
<p><o:p> </o:p></p>
<p>But in the UK a lot of traffic goes over peers through internet exchanges. So just swapping transit only half the problem.<o:p></o:p></p>
<p><br>
Prep wise:<o:p></o:p></p>
<p>So practice altering your IP advertisements, dropping and bringing up peers. If you connect to route servers, practice doing selective announcements. Try to get private interconnects to your upstream telco providers. Get your network teams warmed up
for when it does happen. If you host with a cloud provider, have a backup because if DDOS is coming from the same cloud .....<o:p></o:p></p>
<p><o:p> </o:p></p>
<p><o:p> </o:p></p>
<p>Tim<o:p></o:p></p>
</div>
</body>
</html>