RE: [EXTERNAL] VoIP Provider DDoSes
Hi >Something you may want to consider is to put ACLs as far upstream as possible >from your SBCs and only allow through what you need to the SBCs. For example, >apply a filter only permitting UDP 5060 and your RTP port range to your SBCs >and then blocking everything else. This is free and should stop a lot of >>common DDoS attacks before they ever get to your SBCs. Even better if you >can get your upstream ISP to apply the ACL. DDoS attack traffic should be >dropped as close to the source as possible. Yes Attacks on voip have become more prevalent unfortunately. Another thing to consider is blocking fragments , which have been a major factor in the attacks I have seen in sip. But to do this you need to make sure that you are not exceeding mtu length in Invites, or block fragments only from untrusted IPs. Brian
Re: [EXTERNAL] VoIP Provider DDoSes
Something you may want to consider is to put ACLs as far upstream as possible
from your SBCs and only allow through what you need to the SBCs. For example,
apply a filter only permitting UDP 5060 and your RTP port range to your SBCs
and then blocking everything else. This is free and should stop a lot of
common DDoS attacks before they ever get to your SBCs. Even better if you can
get your upstream ISP to apply the ACL. DDoS attack traffic should be dropped
as close to the source as possible.
-Rich
From: Mike Hammett
Date: Tuesday, September 21, 2021 at 4:39 PM
To: "Compton, Rich A"
Cc: NANOG list
Subject: Re: [EXTERNAL] VoIP Provider DDoSes
CAUTION: The e-mail below is from an external source. Please exercise caution
before opening attachments, clicking links, or following guidance.
*nods* We have a Metaswitch SBC.
So as long as the pipe isn't full, an SBC is the buffer one needs? If the pipe
is filled, pump it through {insert DDoS mitigation service here}?
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
From: "Rich A Compton"
To: "Mike Hammett" , "NANOG"
Sent: Tuesday, September 21, 2021 4:59:06 PM
Subject: Re: [EXTERNAL] VoIP Provider DDoSes
Most of the larger DDoS mitigation appliances can block malformed SIP traffic
and also can block volumetric/state exhaustion UDP floods. A lot of VoIP
companies have Session Border Controllers (SBCs) to protect public facing VoIP
services. SBCs are more application aware. Kind of like a proxy based
firewall just for VoIP.
-Rich
From: NANOG on behalf of
Mike Hammett
Date: Tuesday, September 21, 2021 at 3:31 PM
To: NANOG list
Subject: [EXTERNAL] VoIP Provider DDoSes
CAUTION: The e-mail below is from an external source. Please exercise caution
before opening attachments, clicking links, or following guidance.
As many may know, a particular VoIP supplier is suffering a DDoS.
https://twitter.com/voipms
Are your garden variety DDoS mitigation platforms or services equipped to
handle DDoSes of VoIP services? What nuances does one have to be cognizant of?
A WAF doesn't mean much to SIP, IAX2, RTP, etc.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
The contents of this e-mail message and
any attachments are intended solely for the
addressee(s) and may contain confidential
and/or legally privileged information. If you
are not the intended recipient of this message
or if this message has been addressed to you
in error, please immediately alert the sender
by reply e-mail and then delete this message
and any attachments. If you are not the
intended recipient, you are notified that
any use, dissemination, distribution, copying,
or storage of this message or any attachment
is strictly prohibited.
E-MAIL CONFIDENTIALITY NOTICE:
The contents of this e-mail message and any attachments are intended solely for
the addressee(s) and may contain confidential and/or legally privileged
information. If you are not the intended recipient of this message or if this
message has been addressed to you in error, please immediately alert the sender
by reply e-mail and then delete this message and any attachments. If you are
not the intended recipient, you are notified that any use, dissemination,
distribution, copying, or storage of this message or any attachment is strictly
prohibited.
Re: [EXTERNAL] VoIP Provider DDoSes
*nods* We have a Metaswitch SBC.
So as long as the pipe isn't full, an SBC is the buffer one needs? If the pipe
is filled, pump it through {insert DDoS mitigation service here}?
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Original Message -
From: "Rich A Compton"
To: "Mike Hammett" , "NANOG"
Sent: Tuesday, September 21, 2021 4:59:06 PM
Subject: Re: [EXTERNAL] VoIP Provider DDoSes
Most of the larger DDoS mitigation appliances can block malformed SIP traffic
and also can block volumetric/state exhaustion UDP floods. A lot of VoIP
companies have Session Border Controllers (SBCs) to protect public facing VoIP
services. SBCs are more application aware. Kind of like a proxy based firewall
just for VoIP.
-Rich
From: NANOG on behalf of
Mike Hammett
Date: Tuesday, September 21, 2021 at 3:31 PM
To: NANOG list
Subject: [EXTERNAL] VoIP Provider DDoSes
CAUTION: The e-mail below is from an external source. Please exercise caution
before opening attachments, clicking links, or following guidance.
As many may know, a particular VoIP supplier is suffering a DDoS.
https://twitter.com/voipms
Are your garden variety DDoS mitigation platforms or services equipped to
handle DDoSes of VoIP services? What nuances does one have to be cognizant of?
A WAF doesn't mean much to SIP, IAX2, RTP, etc.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com The contents of this e-mail message and
any attachments are intended solely for the
addressee(s) and may contain confidential
and/or legally privileged information. If you
are not the intended recipient of this message
or if this message has been addressed to you
in error, please immediately alert the sender
by reply e-mail and then delete this message
and any attachments. If you are not the
intended recipient, you are notified that
any use, dissemination, distribution, copying,
or storage of this message or any attachment
is strictly prohibited.
Re: [EXTERNAL] VoIP Provider DDoSes
Most of the larger DDoS mitigation appliances can block malformed SIP traffic and also can block volumetric/state exhaustion UDP floods. A lot of VoIP companies have Session Border Controllers (SBCs) to protect public facing VoIP services. SBCs are more application aware. Kind of like a proxy based firewall just for VoIP. -Rich From: NANOG on behalf of Mike Hammett Date: Tuesday, September 21, 2021 at 3:31 PM To: NANOG list Subject: [EXTERNAL] VoIP Provider DDoSes CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
