UDP fragments have been a problem for years.
mitigations historically have been to turn off spare codecs. On snom
phones, turn off fancy features.
Tbh, the only really modern mitigation is just to use SIP over TLS and
taking UDP out of the mix for everything except media.
Tim
On 07/10/2021 23:34, Jared Geiger wrote:
Cloudflare made another blog post about what kinds of traffic they are
seeing. https://blog.cloudflare.com/update-on-voip-attacks/
<https://blog.cloudflare.com/update-on-voip-attacks/>
One problem is if Cloudflare drops UDP fragments, that could cause
some calls to fail and others not to. Especially now with SHAKEN/STIR
certs in the headers and people putting every codec known to man on
the INVITEs. Verizon specifically mentioned UDP fragments in the email
notice before they put S/S on TF Inbound. So cloudflare magic transit
isn't necessarily the easy button for protecting VoIP traffic but it
would definitely help keep a network alive and processing calls during
an attack.
On Mon, Oct 4, 2021 at 6:24 AM Mike Hammett <voice...@ics-il.net
<mailto:voice...@ics-il.net>> wrote:
For those that don't know what BGPlay is...
https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp
<https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp>
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com <http://www.ics-il.com>
Midwest Internet Exchange
http://www.midwest-ix.com <http://www.midwest-ix.com>
------------------------------------------------------------------------
*From: *"Joseph Jackson" <jjack...@aninetworks.net
<mailto:jjack...@aninetworks.net>>
*To: *"Mike Hammett" <voice...@ics-il.net
<mailto:voice...@ics-il.net>>
*Cc: *"Tim Bray" <t...@kooky.org <mailto:t...@kooky.org>>,
voiceops@voiceops.org <mailto:voiceops@voiceops.org>
*Sent: *Saturday, October 2, 2021 11:20:26 AM
*Subject: *RE: [VoiceOps] VoIP Provider DDoSes
Is now. If you look at their BGP announcements over the last week
using something like bgplay you can see them move all their
prefixes behind cloudflare.
*From:*Mike Hammett [mailto:voice...@ics-il.net
<mailto:voice...@ics-il.net>]
*Sent:* Saturday, October 02, 2021 10:30 AM
*To:* Joseph Jackson
*Cc:* Tim Bray; voiceops@voiceops.org <mailto:voiceops@voiceops.org>
*Subject:* Re: [VoiceOps] VoIP Provider DDoSes
Has been or is now?
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com <http://www.ics-il.com>
Midwest Internet Exchange
http://www.midwest-ix.com <http://www.midwest-ix.com>
------------------------------------------------------------------------
*From: *"Joseph Jackson" <jjack...@aninetworks.net
<mailto:jjack...@aninetworks.net>>
*To: *"Tim Bray" <t...@kooky.org <mailto:t...@kooky.org>>,
voiceops@voiceops.org <mailto:voiceops@voiceops.org>
*Sent: *Saturday, October 2, 2021 9:43:23 AM
*Subject: *Re: [VoiceOps] VoIP Provider DDoSes
Bandwidth.com is using cloudflares magic transit for DDOS
protection. Seems to be working ok. CF says it doesn’t matter
the protocol they can scrub the traffic.
*From:*VoiceOps [mailto:voiceops-boun...@voiceops.org
<mailto:voiceops-boun...@voiceops.org>] *On Behalf Of *Tim Bray
via VoiceOps
*Sent:* Friday, October 01, 2021 9:34 AM
*To:* voiceops@voiceops.org <mailto:voiceops@voiceops.org>
*Subject:* Re: [VoiceOps] VoIP Provider DDoSes
On 26/09/2021 21:54, Mike Hammett wrote:
Are your garden variety DDoS mitigation platforms or services
equipped to handle DDoSes of VoIP services? What nuances does
one have to be cognizant of? A WAF doesn't mean much to SIP,
IAX2, RTP, etc.
Without saying too much:
Seems to be a spate of DDOS against UK based voip providers at the
moment. For ransom. Don't pay.
One provider said that traditional approaches did not work. They
tried Voxility but just got false positives. There are
providers that do work.
But in the UK a lot of traffic goes over peers through internet
exchanges. So just swapping transit only half the problem.
Prep wise:
So practice altering your IP advertisements, dropping and bringing
up peers. If you connect to route servers, practice doing
selective announcements. Try to get private interconnects to your
upstream telco providers. Get your network teams warmed up for
when it does happen. If you host with a cloud provider, have a
backup because if DDOS is coming from the same cloud .....
Tim
_______________________________________________
VoiceOps mailing list
VoiceOps@voiceops.org <mailto:VoiceOps@voiceops.org>
https://puck.nether.net/mailman/listinfo/voiceops
<https://puck.nether.net/mailman/listinfo/voiceops>
_______________________________________________
VoiceOps mailing list
VoiceOps@voiceops.org <mailto:VoiceOps@voiceops.org>
https://puck.nether.net/mailman/listinfo/voiceops
<https://puck.nether.net/mailman/listinfo/voiceops>
_______________________________________________
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops
