<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>UDP fragments have been a problem for years.</p>
<p>mitigations historically have been to turn off spare codecs. On
snom phones, turn off fancy features.</p>
<p>Tbh, the only really modern mitigation is just to use SIP over
TLS and taking UDP out of the mix for everything except media.<br>
</p>
<p><br>
</p>
<p>Tim<br>
</p>
<div class="moz-cite-prefix">On 07/10/2021 23:34, Jared Geiger
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAHuchRAmM7PUFUOsbc+NUyDZh47OGNowv3ukW_D6BRfBYfj6xg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Cloudflare made another blog post about what kinds
of traffic they are seeing. <a
href="https://blog.cloudflare.com/update-on-voip-attacks/"
moz-do-not-send="true">https://blog.cloudflare.com/update-on-voip-attacks/</a>
<div><br>
</div>
<div>One problem is if Cloudflare drops UDP fragments, that
could cause some calls to fail and others not to. Especially
now with SHAKEN/STIR certs in the headers and people putting
every codec known to man on the INVITEs. Verizon specifically
mentioned UDP fragments in the email notice before they put
S/S on TF Inbound. So cloudflare magic transit isn't
necessarily the easy button for protecting VoIP traffic but it
would definitely help keep a network alive and processing
calls during an attack.</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Oct 4, 2021 at 6:24 AM
Mike Hammett <<a href="mailto:voiceops@ics-il.net"
moz-do-not-send="true">voiceops@ics-il.net</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div
style="font-family:arial,helvetica,sans-serif;font-size:10pt;color:rgb(0,0,0)"><font
face="arial, helvetica, sans-serif"><span
style="font-size:10pt">For those that don't know what
BGPlay is...</span></font>
<div
style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><br>
</div>
<div
style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><br>
</div>
<div><font face="arial, helvetica, sans-serif"><span
style="font-size:13.3333px"><a
href="https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp"
target="_blank" moz-do-not-send="true">https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp</a></span></font><br>
<br>
<div
style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><span
name="x"></span><br>
<br>
-----<br>
Mike Hammett<br>
Intelligent Computing Solutions<br>
<a href="http://www.ics-il.com" target="_blank"
moz-do-not-send="true">http://www.ics-il.com</a><br>
<br>
<br>
<br>
Midwest Internet Exchange<br>
<a href="http://www.midwest-ix.com" target="_blank"
moz-do-not-send="true">http://www.midwest-ix.com</a><br>
<br>
<span name="x"></span><br>
</div>
<br>
<hr id="gmail-m_6717795691617493997zwchr"
style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt">
<div
style="color:rgb(0,0,0);font-family:Helvetica,Arial,sans-serif;font-size:12pt;font-weight:normal;font-style:normal;text-decoration:none"><b>From:
</b>"Joseph Jackson" <<a
href="mailto:jjackson@aninetworks.net"
target="_blank" moz-do-not-send="true">jjackson@aninetworks.net</a>><br>
<b>To: </b>"Mike Hammett" <<a
href="mailto:voiceops@ics-il.net" target="_blank"
moz-do-not-send="true">voiceops@ics-il.net</a>><br>
<b>Cc: </b>"Tim Bray" <<a
href="mailto:tim@kooky.org" target="_blank"
moz-do-not-send="true">tim@kooky.org</a>>, <a
href="mailto:voiceops@voiceops.org" target="_blank"
moz-do-not-send="true">voiceops@voiceops.org</a><br>
<b>Sent: </b>Saturday, October 2, 2021 11:20:26 AM<br>
<b>Subject: </b>RE: [VoiceOps] VoIP Provider DDoSes<br>
<br>
<div>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)">Is
now. If you look at their BGP announcements
over the last week using something like bgplay
you can see them move all their prefixes behind
cloudflare.</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span></p>
<div>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt
solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span
style="font-size:10pt;font-family:Tahoma,sans-serif"> Mike Hammett
[mailto:<a href="mailto:voiceops@ics-il.net"
target="_blank" moz-do-not-send="true">voiceops@ics-il.net</a>]
<br>
<b>Sent:</b> Saturday, October 02, 2021
10:30 AM<br>
<b>To:</b> Joseph Jackson<br>
<b>Cc:</b> Tim Bray; <a
href="mailto:voiceops@voiceops.org"
target="_blank" moz-do-not-send="true">voiceops@voiceops.org</a><br>
<b>Subject:</b> Re: [VoiceOps] VoIP Provider
DDoSes</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span
style="font-size:10pt;font-family:Arial,sans-serif;color:black">Has been
or is now?</span></p>
<div>
<p class="MsoNormal"><span
style="font-size:10pt;font-family:Arial,sans-serif;color:black"><br>
<br>
-----<br>
Mike Hammett<br>
Intelligent Computing Solutions<br>
<a href="http://www.ics-il.com"
target="_blank" moz-do-not-send="true">http://www.ics-il.com</a><br>
<br>
<br>
<br>
Midwest Internet Exchange<br>
<a href="http://www.midwest-ix.com"
target="_blank" moz-do-not-send="true">http://www.midwest-ix.com</a><br>
<br>
<br>
</span></p>
</div>
<p class="MsoNormal"><span
style="font-size:10pt;font-family:Arial,sans-serif;color:black"> </span></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span
style="font-size:10pt;font-family:Arial,sans-serif;color:black">
<hr id="gmail-m_6717795691617493997zwchr"
width="100%" size="2" align="center">
</span></div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><b><span
style="font-family:Helvetica,sans-serif;color:black">From:
</span></b><span
style="font-family:Helvetica,sans-serif;color:black">"Joseph
Jackson" <<a
href="mailto:jjackson@aninetworks.net"
target="_blank" moz-do-not-send="true">jjackson@aninetworks.net</a>><br>
<b>To: </b>"Tim Bray" <<a
href="mailto:tim@kooky.org"
target="_blank" moz-do-not-send="true">tim@kooky.org</a>>,
<a href="mailto:voiceops@voiceops.org"
target="_blank" moz-do-not-send="true">voiceops@voiceops.org</a><br>
<b>Sent: </b>Saturday, October 2, 2021
9:43:23 AM<br>
<b>Subject: </b>Re: [VoiceOps] VoIP
Provider DDoSes</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)">Bandwidth.com
is using cloudflares magic transit for DDOS
protection. Seems to be working ok. CF
says it doesn’t matter the protocol they can
scrub the traffic.</span><span
style="color:black"></span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span><span
style="color:black"></span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span><span
style="color:black"></span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span><span
style="color:black"></span></p>
<div>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt
solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10pt;font-family:Tahoma,sans-serif;color:black">From:</span></b><span
style="font-size:10pt;font-family:Tahoma,sans-serif;color:black">
VoiceOps [mailto:<a
href="mailto:voiceops-bounces@voiceops.org"
target="_blank" moz-do-not-send="true">voiceops-bounces@voiceops.org</a>]
<b>On Behalf Of </b>Tim Bray via
VoiceOps<br>
<b>Sent:</b> Friday, October 01, 2021
9:34 AM<br>
<b>To:</b> <a
href="mailto:voiceops@voiceops.org"
target="_blank" moz-do-not-send="true">voiceops@voiceops.org</a><br>
<b>Subject:</b> Re: [VoiceOps] VoIP
Provider DDoSes</span><span
style="color:black"></span></p>
</div>
</div>
<p class="MsoNormal"><span style="color:black"> </span></p>
<p><span style="color:black"> </span></p>
<div>
<p class="MsoNormal"><span style="color:black">On
26/09/2021 21:54, Mike Hammett wrote:</span></p>
</div>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10pt;font-family:Arial,sans-serif;color:black"> </span><span
style="color:black"></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:10pt;font-family:Arial,sans-serif;color:black">Are
your garden variety DDoS mitigation
platforms or services equipped to
handle DDoSes of VoIP services? What
nuances does one have to be
cognizant of? A WAF doesn't mean
much to SIP, IAX2, RTP, etc.</span><span
style="color:black"></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span style="color:black"> </span></p>
</blockquote>
<p><span style="color:black"> </span></p>
<p><span style="color:black">Without saying too
much:</span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black">Seems to be a spate
of DDOS against UK based voip providers at
the moment. For ransom. Don't pay.</span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black">One provider said
that traditional approaches did not work.
They tried Voxility but just got false
positives. There are providers that do
work.
</span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black">But in the UK a lot
of traffic goes over peers through internet
exchanges. So just swapping transit only
half the problem.</span></p>
<p><span style="color:black"><br>
Prep wise:</span></p>
<p><span style="color:black">So practice
altering your IP advertisements, dropping
and bringing up peers. If you connect to
route servers, practice doing selective
announcements. Try to get private
interconnects to your upstream telco
providers. Get your network teams warmed
up for when it does happen. If you host
with a cloud provider, have a backup because
if DDOS is coming from the same cloud .....</span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black">Tim</span></p>
<p class="MsoNormal"><span
style="font-family:Helvetica,sans-serif;color:black"><br>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org"
target="_blank" moz-do-not-send="true">VoiceOps@voiceops.org</a><br>
<a
href="https://puck.nether.net/mailman/listinfo/voiceops"
target="_blank" moz-do-not-send="true">https://puck.nether.net/mailman/listinfo/voiceops</a></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:10pt;font-family:Arial,sans-serif;color:black"> </span></p>
</div>
</div>
</div>
<br>
</div>
</div>
</div>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org" target="_blank"
moz-do-not-send="true">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
VoiceOps mailing list
<a class="moz-txt-link-abbreviated" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a>
</pre>
</blockquote>
</body>
</html>