<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">I would agree, but modify this advice to read: “TCP or TLS to the edge for end-users, then step down to UDP with big MTUs inside the service provider core.”<br><br><div dir="ltr">—<div>Sent from mobile, with due apologies for brevity and errors.</div></div><div dir="ltr"><br><blockquote type="cite">On Oct 8, 2021, at 8:25 AM, Tim Bray via VoiceOps <voiceops@voiceops.org> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
  
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  
  
    <p>UDP fragments have been a problem for years.</p>
    <p>mitigations historically have been to turn off spare codecs.  On
      snom phones, turn off fancy features.</p>
    <p>Tbh, the only really modern mitigation is just to use SIP over
      TLS and taking UDP out of the mix for everything except media.<br>
    </p>
    <p><br>
    </p>
    <p>Tim<br>
    </p>
    <div class="moz-cite-prefix">On 07/10/2021 23:34, Jared Geiger
      wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:CAHuchRAmM7PUFUOsbc+NUyDZh47OGNowv3ukW_D6BRfBYfj6xg@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">Cloudflare made another blog post about what kinds
        of traffic they are seeing. <a href="https://blog.cloudflare.com/update-on-voip-attacks/" moz-do-not-send="true">https://blog.cloudflare.com/update-on-voip-attacks/</a>
        <div><br>
        </div>
        <div>One problem is if Cloudflare drops UDP fragments, that
          could cause some calls to fail and others not to. Especially
          now with SHAKEN/STIR certs in the headers and people putting
          every codec known to man on the INVITEs. Verizon specifically
          mentioned UDP fragments in the email notice before they put
          S/S on TF Inbound. So cloudflare magic transit isn't
          necessarily the easy button for protecting VoIP traffic but it
          would definitely help keep a network alive and processing
          calls during an attack.</div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Mon, Oct 4, 2021 at 6:24 AM
          Mike Hammett <<a href="mailto:voiceops@ics-il.net" moz-do-not-send="true">voiceops@ics-il.net</a>> wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px
          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div>
            <div style="font-family:arial,helvetica,sans-serif;font-size:10pt;color:rgb(0,0,0)"><font face="arial, helvetica, sans-serif"><span style="font-size:10pt">For those that don't know what
                  BGPlay is...</span></font>
              <div style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><br>
              </div>
              <div style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><br>
              </div>
              <div><font face="arial, helvetica, sans-serif"><span style="font-size:13.3333px"><a href="https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp" target="_blank" moz-do-not-send="true">https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp</a></span></font><br>
                <br>
                <div style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><span name="x"></span><br>
                  <br>
                  -----<br>
                  Mike Hammett<br>
                  Intelligent Computing Solutions<br>
                  <a href="http://www.ics-il.com" target="_blank" moz-do-not-send="true">http://www.ics-il.com</a><br>
                  <br>
                  <br>
                  <br>
                  Midwest Internet Exchange<br>
                  <a href="http://www.midwest-ix.com" target="_blank" moz-do-not-send="true">http://www.midwest-ix.com</a><br>
                  <br>
                  <span name="x"></span><br>
                </div>
                <br>
                <hr id="gmail-m_6717795691617493997zwchr" style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt">
                <div style="color:rgb(0,0,0);font-family:Helvetica,Arial,sans-serif;font-size:12pt;font-weight:normal;font-style:normal;text-decoration:none"><b>From:
                  </b>"Joseph Jackson" <<a href="mailto:jjackson@aninetworks.net" target="_blank" moz-do-not-send="true">jjackson@aninetworks.net</a>><br>
                  <b>To: </b>"Mike Hammett" <<a href="mailto:voiceops@ics-il.net" target="_blank" moz-do-not-send="true">voiceops@ics-il.net</a>><br>
                  <b>Cc: </b>"Tim Bray" <<a href="mailto:tim@kooky.org" target="_blank" moz-do-not-send="true">tim@kooky.org</a>>, <a href="mailto:voiceops@voiceops.org" target="_blank" moz-do-not-send="true">voiceops@voiceops.org</a><br>
                  <b>Sent: </b>Saturday, October 2, 2021 11:20:26 AM<br>
                  <b>Subject: </b>RE: [VoiceOps] VoIP Provider DDoSes<br>
                  <br>
                  <div>
                    <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)">Is
                        now.  If you look at their BGP announcements
                        over the last week using something like bgplay
                        you can see them move all their prefixes behind
                        cloudflare.</span></p>
                    <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span></p>
                    <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span></p>
                    <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span></p>
                    <div>
                      <div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt
                        solid rgb(181,196,223);padding:3pt 0in 0in">
                        <p class="MsoNormal"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"> Mike Hammett
                            [mailto:<a href="mailto:voiceops@ics-il.net" target="_blank" moz-do-not-send="true">voiceops@ics-il.net</a>]
                            <br>
                            <b>Sent:</b> Saturday, October 02, 2021
                            10:30 AM<br>
                            <b>To:</b> Joseph Jackson<br>
                            <b>Cc:</b> Tim Bray; <a href="mailto:voiceops@voiceops.org" target="_blank" moz-do-not-send="true">voiceops@voiceops.org</a><br>
                            <b>Subject:</b> Re: [VoiceOps] VoIP Provider
                            DDoSes</span></p>
                      </div>
                    </div>
                    <p class="MsoNormal"> </p>
                    <div>
                      <p class="MsoNormal" style="margin-bottom:12pt"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black">Has been
                          or is now?</span></p>
                      <div>
                        <p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"><br>
                            <br>
                            -----<br>
                            Mike Hammett<br>
                            Intelligent Computing Solutions<br>
                            <a href="http://www.ics-il.com" target="_blank" moz-do-not-send="true">http://www.ics-il.com</a><br>
                            <br>
                            <br>
                            <br>
                            Midwest Internet Exchange<br>
                            <a href="http://www.midwest-ix.com" target="_blank" moz-do-not-send="true">http://www.midwest-ix.com</a><br>
                            <br>
                            <br>
                          </span></p>
                      </div>
                      <p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"> </span></p>
                      <div class="MsoNormal" style="text-align:center" align="center"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black">
                          <hr id="gmail-m_6717795691617493997zwchr" width="100%" size="2" align="center">
                        </span></div>
                      <div>
                        <p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-family:Helvetica,sans-serif;color:black">From:
                            </span></b><span style="font-family:Helvetica,sans-serif;color:black">"Joseph
                            Jackson" <<a href="mailto:jjackson@aninetworks.net" target="_blank" moz-do-not-send="true">jjackson@aninetworks.net</a>><br>
                            <b>To: </b>"Tim Bray" <<a href="mailto:tim@kooky.org" target="_blank" moz-do-not-send="true">tim@kooky.org</a>>,
                            <a href="mailto:voiceops@voiceops.org" target="_blank" moz-do-not-send="true">voiceops@voiceops.org</a><br>
                            <b>Sent: </b>Saturday, October 2, 2021
                            9:43:23 AM<br>
                            <b>Subject: </b>Re: [VoiceOps] VoIP
                            Provider DDoSes</span></p>
                        <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)">Bandwidth.com
                            is using cloudflares magic transit for DDOS
                            protection.  Seems to be working ok.  CF
                            says it doesn’t matter the protocol they can
                            scrub the traffic.</span><span style="color:black"></span></p>
                        <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span><span style="color:black"></span></p>
                        <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span><span style="color:black"></span></p>
                        <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span><span style="color:black"></span></p>
                        <div>
                          <div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt
                            solid rgb(181,196,223);padding:3pt 0in 0in">
                            <p class="MsoNormal"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif;color:black">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif;color:black">
                                VoiceOps [mailto:<a href="mailto:voiceops-bounces@voiceops.org" target="_blank" moz-do-not-send="true">voiceops-bounces@voiceops.org</a>]
                                <b>On Behalf Of </b>Tim Bray via
                                VoiceOps<br>
                                <b>Sent:</b> Friday, October 01, 2021
                                9:34 AM<br>
                                <b>To:</b> <a href="mailto:voiceops@voiceops.org" target="_blank" moz-do-not-send="true">voiceops@voiceops.org</a><br>
                                <b>Subject:</b> Re: [VoiceOps] VoIP
                                Provider DDoSes</span><span style="color:black"></span></p>
                          </div>
                        </div>
                        <p class="MsoNormal"><span style="color:black"> </span></p>
                        <p><span style="color:black"> </span></p>
                        <div>
                          <p class="MsoNormal"><span style="color:black">On
                              26/09/2021 21:54, Mike Hammett wrote:</span></p>
                        </div>
                        <blockquote style="margin-top:5pt;margin-bottom:5pt">
                          <div>
                            <div>
                              <p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"> </span><span style="color:black"></span></p>
                              <div>
                                <p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black">Are
                                    your garden variety DDoS mitigation
                                    platforms or services equipped to
                                    handle DDoSes of VoIP services? What
                                    nuances does one have to be
                                    cognizant of? A WAF doesn't mean
                                    much to SIP, IAX2, RTP, etc.</span><span style="color:black"></span></p>
                              </div>
                            </div>
                          </div>
                          <p class="MsoNormal"><span style="color:black"> </span></p>
                        </blockquote>
                        <p><span style="color:black"> </span></p>
                        <p><span style="color:black">Without saying too
                            much:</span></p>
                        <p><span style="color:black"> </span></p>
                        <p><span style="color:black">Seems to be a spate
                            of DDOS against UK based voip providers at
                            the moment.   For ransom.  Don't pay.</span></p>
                        <p><span style="color:black"> </span></p>
                        <p><span style="color:black">One provider said
                            that traditional approaches did not work.  
                            They tried Voxility but just got false
                            positives.    There are providers that do
                            work.  
                          </span></p>
                        <p><span style="color:black"> </span></p>
                        <p><span style="color:black">But in the UK a lot
                            of traffic goes over peers through internet
                            exchanges.  So just swapping transit only
                            half the problem.</span></p>
                        <p><span style="color:black"><br>
                            Prep wise:</span></p>
                        <p><span style="color:black">So practice
                            altering your IP advertisements, dropping
                            and bringing up peers.  If you connect to
                            route servers, practice doing selective
                            announcements.  Try to get private
                            interconnects to your upstream telco
                            providers.    Get your network teams warmed
                            up for when it does happen.    If you host
                            with a cloud provider, have a backup because
                            if DDOS is coming from the same cloud .....</span></p>
                        <p><span style="color:black"> </span></p>
                        <p><span style="color:black"> </span></p>
                        <p><span style="color:black">Tim</span></p>
                        <p class="MsoNormal"><span style="font-family:Helvetica,sans-serif;color:black"><br>
_______________________________________________<br>
                            VoiceOps mailing list<br>
                            <a href="mailto:VoiceOps@voiceops.org" target="_blank" moz-do-not-send="true">VoiceOps@voiceops.org</a><br>
                            <a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank" moz-do-not-send="true">https://puck.nether.net/mailman/listinfo/voiceops</a></span></p>
                      </div>
                      <p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"> </span></p>
                    </div>
                  </div>
                </div>
                <br>
              </div>
            </div>
          </div>
          _______________________________________________<br>
          VoiceOps mailing list<br>
          <a href="mailto:VoiceOps@voiceops.org" target="_blank" moz-do-not-send="true">VoiceOps@voiceops.org</a><br>
          <a href="https://puck.nether.net/mailman/listinfo/voiceops" rel="noreferrer" target="_blank" moz-do-not-send="true">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
        </blockquote>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
VoiceOps mailing list
<a class="moz-txt-link-abbreviated" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a>
</pre>
    </blockquote>
  

<span>_______________________________________________</span><br><span>VoiceOps mailing list</span><br><span>VoiceOps@voiceops.org</span><br><span>https://puck.nether.net/mailman/listinfo/voiceops</span><br></div></blockquote></body></html>