<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">I would agree, but modify this advice to read: “TCP or TLS to the edge for end-users, then step down to UDP with big MTUs inside the service provider core.”<br><br><div dir="ltr">—<div>Sent from mobile, with due apologies for brevity and errors.</div></div><div dir="ltr"><br><blockquote type="cite">On Oct 8, 2021, at 8:25 AM, Tim Bray via VoiceOps <voiceops@voiceops.org> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>UDP fragments have been a problem for years.</p>
<p>mitigations historically have been to turn off spare codecs. On
snom phones, turn off fancy features.</p>
<p>Tbh, the only really modern mitigation is just to use SIP over
TLS and taking UDP out of the mix for everything except media.<br>
</p>
<p><br>
</p>
<p>Tim<br>
</p>
<div class="moz-cite-prefix">On 07/10/2021 23:34, Jared Geiger
wrote:<br>
</div>
<blockquote type="cite" cite="mid:CAHuchRAmM7PUFUOsbc+NUyDZh47OGNowv3ukW_D6BRfBYfj6xg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Cloudflare made another blog post about what kinds
of traffic they are seeing. <a href="https://blog.cloudflare.com/update-on-voip-attacks/" moz-do-not-send="true">https://blog.cloudflare.com/update-on-voip-attacks/</a>
<div><br>
</div>
<div>One problem is if Cloudflare drops UDP fragments, that
could cause some calls to fail and others not to. Especially
now with SHAKEN/STIR certs in the headers and people putting
every codec known to man on the INVITEs. Verizon specifically
mentioned UDP fragments in the email notice before they put
S/S on TF Inbound. So cloudflare magic transit isn't
necessarily the easy button for protecting VoIP traffic but it
would definitely help keep a network alive and processing
calls during an attack.</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Oct 4, 2021 at 6:24 AM
Mike Hammett <<a href="mailto:voiceops@ics-il.net" moz-do-not-send="true">voiceops@ics-il.net</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div style="font-family:arial,helvetica,sans-serif;font-size:10pt;color:rgb(0,0,0)"><font face="arial, helvetica, sans-serif"><span style="font-size:10pt">For those that don't know what
BGPlay is...</span></font>
<div style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><br>
</div>
<div style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><br>
</div>
<div><font face="arial, helvetica, sans-serif"><span style="font-size:13.3333px"><a href="https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp" target="_blank" moz-do-not-send="true">https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp</a></span></font><br>
<br>
<div style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt"><span name="x"></span><br>
<br>
-----<br>
Mike Hammett<br>
Intelligent Computing Solutions<br>
<a href="http://www.ics-il.com" target="_blank" moz-do-not-send="true">http://www.ics-il.com</a><br>
<br>
<br>
<br>
Midwest Internet Exchange<br>
<a href="http://www.midwest-ix.com" target="_blank" moz-do-not-send="true">http://www.midwest-ix.com</a><br>
<br>
<span name="x"></span><br>
</div>
<br>
<hr id="gmail-m_6717795691617493997zwchr" style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:10pt">
<div style="color:rgb(0,0,0);font-family:Helvetica,Arial,sans-serif;font-size:12pt;font-weight:normal;font-style:normal;text-decoration:none"><b>From:
</b>"Joseph Jackson" <<a href="mailto:jjackson@aninetworks.net" target="_blank" moz-do-not-send="true">jjackson@aninetworks.net</a>><br>
<b>To: </b>"Mike Hammett" <<a href="mailto:voiceops@ics-il.net" target="_blank" moz-do-not-send="true">voiceops@ics-il.net</a>><br>
<b>Cc: </b>"Tim Bray" <<a href="mailto:tim@kooky.org" target="_blank" moz-do-not-send="true">tim@kooky.org</a>>, <a href="mailto:voiceops@voiceops.org" target="_blank" moz-do-not-send="true">voiceops@voiceops.org</a><br>
<b>Sent: </b>Saturday, October 2, 2021 11:20:26 AM<br>
<b>Subject: </b>RE: [VoiceOps] VoIP Provider DDoSes<br>
<br>
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)">Is
now. If you look at their BGP announcements
over the last week using something like bgplay
you can see them move all their prefixes behind
cloudflare.</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt
solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"> Mike Hammett
[mailto:<a href="mailto:voiceops@ics-il.net" target="_blank" moz-do-not-send="true">voiceops@ics-il.net</a>]
<br>
<b>Sent:</b> Saturday, October 02, 2021
10:30 AM<br>
<b>To:</b> Joseph Jackson<br>
<b>Cc:</b> Tim Bray; <a href="mailto:voiceops@voiceops.org" target="_blank" moz-do-not-send="true">voiceops@voiceops.org</a><br>
<b>Subject:</b> Re: [VoiceOps] VoIP Provider
DDoSes</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black">Has been
or is now?</span></p>
<div>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"><br>
<br>
-----<br>
Mike Hammett<br>
Intelligent Computing Solutions<br>
<a href="http://www.ics-il.com" target="_blank" moz-do-not-send="true">http://www.ics-il.com</a><br>
<br>
<br>
<br>
Midwest Internet Exchange<br>
<a href="http://www.midwest-ix.com" target="_blank" moz-do-not-send="true">http://www.midwest-ix.com</a><br>
<br>
<br>
</span></p>
</div>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"> </span></p>
<div class="MsoNormal" style="text-align:center" align="center"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black">
<hr id="gmail-m_6717795691617493997zwchr" width="100%" size="2" align="center">
</span></div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-family:Helvetica,sans-serif;color:black">From:
</span></b><span style="font-family:Helvetica,sans-serif;color:black">"Joseph
Jackson" <<a href="mailto:jjackson@aninetworks.net" target="_blank" moz-do-not-send="true">jjackson@aninetworks.net</a>><br>
<b>To: </b>"Tim Bray" <<a href="mailto:tim@kooky.org" target="_blank" moz-do-not-send="true">tim@kooky.org</a>>,
<a href="mailto:voiceops@voiceops.org" target="_blank" moz-do-not-send="true">voiceops@voiceops.org</a><br>
<b>Sent: </b>Saturday, October 2, 2021
9:43:23 AM<br>
<b>Subject: </b>Re: [VoiceOps] VoIP
Provider DDoSes</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)">Bandwidth.com
is using cloudflares magic transit for DDOS
protection. Seems to be working ok. CF
says it doesn’t matter the protocol they can
scrub the traffic.</span><span style="color:black"></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span><span style="color:black"></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span><span style="color:black"></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(68,84,106)"> </span><span style="color:black"></span></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt
solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif;color:black">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif;color:black">
VoiceOps [mailto:<a href="mailto:voiceops-bounces@voiceops.org" target="_blank" moz-do-not-send="true">voiceops-bounces@voiceops.org</a>]
<b>On Behalf Of </b>Tim Bray via
VoiceOps<br>
<b>Sent:</b> Friday, October 01, 2021
9:34 AM<br>
<b>To:</b> <a href="mailto:voiceops@voiceops.org" target="_blank" moz-do-not-send="true">voiceops@voiceops.org</a><br>
<b>Subject:</b> Re: [VoiceOps] VoIP
Provider DDoSes</span><span style="color:black"></span></p>
</div>
</div>
<p class="MsoNormal"><span style="color:black"> </span></p>
<p><span style="color:black"> </span></p>
<div>
<p class="MsoNormal"><span style="color:black">On
26/09/2021 21:54, Mike Hammett wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"> </span><span style="color:black"></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black">Are
your garden variety DDoS mitigation
platforms or services equipped to
handle DDoSes of VoIP services? What
nuances does one have to be
cognizant of? A WAF doesn't mean
much to SIP, IAX2, RTP, etc.</span><span style="color:black"></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span style="color:black"> </span></p>
</blockquote>
<p><span style="color:black"> </span></p>
<p><span style="color:black">Without saying too
much:</span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black">Seems to be a spate
of DDOS against UK based voip providers at
the moment. For ransom. Don't pay.</span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black">One provider said
that traditional approaches did not work.
They tried Voxility but just got false
positives. There are providers that do
work.
</span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black">But in the UK a lot
of traffic goes over peers through internet
exchanges. So just swapping transit only
half the problem.</span></p>
<p><span style="color:black"><br>
Prep wise:</span></p>
<p><span style="color:black">So practice
altering your IP advertisements, dropping
and bringing up peers. If you connect to
route servers, practice doing selective
announcements. Try to get private
interconnects to your upstream telco
providers. Get your network teams warmed
up for when it does happen. If you host
with a cloud provider, have a backup because
if DDOS is coming from the same cloud .....</span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black"> </span></p>
<p><span style="color:black">Tim</span></p>
<p class="MsoNormal"><span style="font-family:Helvetica,sans-serif;color:black"><br>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org" target="_blank" moz-do-not-send="true">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank" moz-do-not-send="true">https://puck.nether.net/mailman/listinfo/voiceops</a></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"> </span></p>
</div>
</div>
</div>
<br>
</div>
</div>
</div>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org" target="_blank" moz-do-not-send="true">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops" rel="noreferrer" target="_blank" moz-do-not-send="true">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
VoiceOps mailing list
<a class="moz-txt-link-abbreviated" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a>
</pre>
</blockquote>
<span>_______________________________________________</span><br><span>VoiceOps mailing list</span><br><span>VoiceOps@voiceops.org</span><br><span>https://puck.nether.net/mailman/listinfo/voiceops</span><br></div></blockquote></body></html>