<div dir="ltr">Cloudflare made another blog post about what kinds of traffic they are seeing. <a href="https://blog.cloudflare.com/update-on-voip-attacks/">https://blog.cloudflare.com/update-on-voip-attacks/</a><div><br></div><div>One problem is if Cloudflare drops UDP fragments, that could cause some calls to fail and others not to. Especially now with SHAKEN/STIR certs in the headers and people putting every codec known to man on the INVITEs. Verizon specifically mentioned UDP fragments in the email notice before they put S/S on TF Inbound. So cloudflare magic transit isn't necessarily the easy button for protecting VoIP traffic but it would definitely help keep a network alive and processing calls during an attack.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Oct 4, 2021 at 6:24 AM Mike Hammett <<a href="mailto:voiceops@ics-il.net">voiceops@ics-il.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:arial,helvetica,sans-serif;font-size:10pt;color:rgb(0,0,0)"><font face="arial, helvetica, sans-serif"><span style="font-size:10pt">For those that don't know what BGPlay is...</span></font><div style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><br></div><div style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><br></div><div><font face="arial, helvetica, sans-serif"><span style="font-size:13.3333px"><a href="https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp" target="_blank">https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp</a></span></font><br><br><div style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><span name="x"></span><br><br>-----<br>Mike Hammett<br>Intelligent Computing Solutions<br><a href="http://www.ics-il.com" target="_blank">http://www.ics-il.com</a><br><br><br><br>Midwest Internet Exchange<br><a href="http://www.midwest-ix.com" target="_blank">http://www.midwest-ix.com</a><br><br><span name="x"></span><br></div><br><hr id="gmail-m_6717795691617493997zwchr" style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><div style="color:rgb(0,0,0);font-family:Helvetica,Arial,sans-serif;font-size:12pt;font-weight:normal;font-style:normal;text-decoration:none"><b>From: </b>"Joseph Jackson" <<a href="mailto:jjackson@aninetworks.net" target="_blank">jjackson@aninetworks.net</a>><br><b>To: </b>"Mike Hammett" <<a href="mailto:voiceops@ics-il.net" target="_blank">voiceops@ics-il.net</a>><br><b>Cc: </b>"Tim Bray" <<a href="mailto:tim@kooky.org" target="_blank">tim@kooky.org</a>>, <a href="mailto:voiceops@voiceops.org" target="_blank">voiceops@voiceops.org</a><br><b>Sent: </b>Saturday, October 2, 2021 11:20:26 AM<br><b>Subject: </b>RE: [VoiceOps] VoIP Provider DDoSes<br><br>
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)">Is now. If you look at their BGP announcements over the last week using something like bgplay you can see them move all their prefixes behind cloudflare.</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"> Mike Hammett [mailto:<a href="mailto:voiceops@ics-il.net" target="_blank">voiceops@ics-il.net</a>]
<br>
<b>Sent:</b> Saturday, October 02, 2021 10:30 AM<br>
<b>To:</b> Joseph Jackson<br>
<b>Cc:</b> Tim Bray; <a href="mailto:voiceops@voiceops.org" target="_blank">voiceops@voiceops.org</a><br>
<b>Subject:</b> Re: [VoiceOps] VoIP Provider DDoSes</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black">Has been or is now?</span></p>
<div>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"><br>
<br>
-----<br>
Mike Hammett<br>
Intelligent Computing Solutions<br>
<a href="http://www.ics-il.com" target="_blank">http://www.ics-il.com</a><br>
<br>
<br>
<br>
Midwest Internet Exchange<br>
<a href="http://www.midwest-ix.com" target="_blank">http://www.midwest-ix.com</a><br>
<br>
<br>
</span></p>
</div>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"> </span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black">
<hr size="2" width="100%" align="center" id="gmail-m_6717795691617493997zwchr">
</span></div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-family:Helvetica,sans-serif;color:black">From:
</span></b><span style="font-family:Helvetica,sans-serif;color:black">"Joseph Jackson" <<a href="mailto:jjackson@aninetworks.net" target="_blank">jjackson@aninetworks.net</a>><br>
<b>To: </b>"Tim Bray" <<a href="mailto:tim@kooky.org" target="_blank">tim@kooky.org</a>>, <a href="mailto:voiceops@voiceops.org" target="_blank">voiceops@voiceops.org</a><br>
<b>Sent: </b>Saturday, October 2, 2021 9:43:23 AM<br>
<b>Subject: </b>Re: [VoiceOps] VoIP Provider DDoSes</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)">Bandwidth.com is using cloudflares magic transit for DDOS protection. Seems to be working ok. CF says it doesn’t matter the protocol they can scrub the traffic.</span><span style="color:black"></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span><span style="color:black"></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span><span style="color:black"></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span><span style="color:black"></span></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif;color:black">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif;color:black"> VoiceOps [mailto:<a href="mailto:voiceops-bounces@voiceops.org" target="_blank">voiceops-bounces@voiceops.org</a>]
<b>On Behalf Of </b>Tim Bray via VoiceOps<br>
<b>Sent:</b> Friday, October 01, 2021 9:34 AM<br>
<b>To:</b> <a href="mailto:voiceops@voiceops.org" target="_blank">voiceops@voiceops.org</a><br>
<b>Subject:</b> Re: [VoiceOps] VoIP Provider DDoSes</span><span style="color:black"></span></p>
</div>
</div>
<p class="MsoNormal"><span style="color:black"> </span></p>
<p><span style="color:black"> </span></p>
<div>
<p class="MsoNormal"><span style="color:black">On 26/09/2021 21:54, Mike Hammett wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"> </span><span style="color:black"></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black">Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't
mean much to SIP, IAX2, RTP, etc.</span><span style="color:black"></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span style="color:black"> </span></p>
</blockquote>
<p><span style="color:black"> </span></p>
<p><span style="color:black">Without saying too much:</span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black">Seems to be a spate of DDOS against UK based voip providers at the moment. For ransom. Don't pay.</span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black">One provider said that traditional approaches did not work. They tried Voxility but just got false positives. There are providers that do work.
</span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black">But in the UK a lot of traffic goes over peers through internet exchanges. So just swapping transit only half the problem.</span></p>
<p><span style="color:black"><br>
Prep wise:</span></p>
<p><span style="color:black">So practice altering your IP advertisements, dropping and bringing up peers. If you connect to route servers, practice doing selective announcements. Try to get private interconnects to your upstream telco providers. Get your
network teams warmed up for when it does happen. If you host with a cloud provider, have a backup because if DDOS is coming from the same cloud .....</span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black">Tim</span></p>
<p class="MsoNormal"><span style="font-family:Helvetica,sans-serif;color:black"><br>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"> </span></p>
</div>
</div>
</div><br></div></div></div>_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
</blockquote></div>