I would agree, but modify this advice to read: “TCP or TLS to the edge for end-users, then step down to UDP with big MTUs inside the service provider core.”
— Sent from mobile, with due apologies for brevity and errors. > On Oct 8, 2021, at 8:25 AM, Tim Bray via VoiceOps <voiceops@voiceops.org> > wrote: > > > UDP fragments have been a problem for years. > > mitigations historically have been to turn off spare codecs. On snom phones, > turn off fancy features. > > Tbh, the only really modern mitigation is just to use SIP over TLS and taking > UDP out of the mix for everything except media. > > > > Tim > > On 07/10/2021 23:34, Jared Geiger wrote: >> Cloudflare made another blog post about what kinds of traffic they are >> seeing. https://blog.cloudflare.com/update-on-voip-attacks/ >> >> One problem is if Cloudflare drops UDP fragments, that could cause some >> calls to fail and others not to. Especially now with SHAKEN/STIR certs in >> the headers and people putting every codec known to man on the INVITEs. >> Verizon specifically mentioned UDP fragments in the email notice before they >> put S/S on TF Inbound. So cloudflare magic transit isn't necessarily the >> easy button for protecting VoIP traffic but it would definitely help keep a >> network alive and processing calls during an attack. >> >> On Mon, Oct 4, 2021 at 6:24 AM Mike Hammett <voice...@ics-il.net> wrote: >>> For those that don't know what BGPlay is... >>> >>> >>> https://stat.ripe.net/widget/bgplay#w.ignoreReannouncements=false&w.resource=67.231.4.88&w.starttime=1632921600&w.endtime=1632960000&w.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions >>> http://www.ics-il.com >>> >>> >>> >>> Midwest Internet Exchange >>> http://www.midwest-ix.com >>> >>> >>> >>> From: "Joseph Jackson" <jjack...@aninetworks.net> >>> To: "Mike Hammett" <voice...@ics-il.net> >>> Cc: "Tim Bray" <t...@kooky.org>, voiceops@voiceops.org >>> Sent: Saturday, October 2, 2021 11:20:26 AM >>> Subject: RE: [VoiceOps] VoIP Provider DDoSes >>> >>> Is now. If you look at their BGP announcements over the last week using >>> something like bgplay you can see them move all their prefixes behind >>> cloudflare. >>> >>> >>> >>> >>> >>> >>> >>> From: Mike Hammett [mailto:voice...@ics-il.net] >>> Sent: Saturday, October 02, 2021 10:30 AM >>> To: Joseph Jackson >>> Cc: Tim Bray; voiceops@voiceops.org >>> Subject: Re: [VoiceOps] VoIP Provider DDoSes >>> >>> >>> >>> Has been or is now? >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions >>> http://www.ics-il.com >>> >>> >>> >>> Midwest Internet Exchange >>> http://www.midwest-ix.com >>> >>> >>> >>> >>> >>> From: "Joseph Jackson" <jjack...@aninetworks.net> >>> To: "Tim Bray" <t...@kooky.org>, voiceops@voiceops.org >>> Sent: Saturday, October 2, 2021 9:43:23 AM >>> Subject: Re: [VoiceOps] VoIP Provider DDoSes >>> >>> Bandwidth.com is using cloudflares magic transit for DDOS protection. >>> Seems to be working ok. CF says it doesn’t matter the protocol they can >>> scrub the traffic. >>> >>> >>> >>> >>> >>> >>> >>> From: VoiceOps [mailto:voiceops-boun...@voiceops.org] On Behalf Of Tim Bray >>> via VoiceOps >>> Sent: Friday, October 01, 2021 9:34 AM >>> To: voiceops@voiceops.org >>> Subject: Re: [VoiceOps] VoIP Provider DDoSes >>> >>> >>> >>> >>> >>> On 26/09/2021 21:54, Mike Hammett wrote: >>> >>> >>> >>> Are your garden variety DDoS mitigation platforms or services equipped to >>> handle DDoSes of VoIP services? What nuances does one have to be cognizant >>> of? A WAF doesn't mean much to SIP, IAX2, RTP, etc. >>> >>> >>> >>> >>> >>> Without saying too much: >>> >>> >>> >>> Seems to be a spate of DDOS against UK based voip providers at the moment. >>> For ransom. Don't pay. >>> >>> >>> >>> One provider said that traditional approaches did not work. They tried >>> Voxility but just got false positives. There are providers that do work. >>> >>> >>> >>> >>> But in the UK a lot of traffic goes over peers through internet exchanges. >>> So just swapping transit only half the problem. >>> >>> >>> Prep wise: >>> >>> So practice altering your IP advertisements, dropping and bringing up >>> peers. If you connect to route servers, practice doing selective >>> announcements. Try to get private interconnects to your upstream telco >>> providers. Get your network teams warmed up for when it does happen. >>> If you host with a cloud provider, have a backup because if DDOS is coming >>> from the same cloud ..... >>> >>> >>> >>> >>> >>> Tim >>> >>> >>> _______________________________________________ >>> VoiceOps mailing list >>> VoiceOps@voiceops.org >>> https://puck.nether.net/mailman/listinfo/voiceops >>> >>> >>> >>> >>> _______________________________________________ >>> VoiceOps mailing list >>> VoiceOps@voiceops.org >>> https://puck.nether.net/mailman/listinfo/voiceops >> >> >> _______________________________________________ >> VoiceOps mailing list >> VoiceOps@voiceops.org >> https://puck.nether.net/mailman/listinfo/voiceops > _______________________________________________ > VoiceOps mailing list > VoiceOps@voiceops.org > https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps@voiceops.org https://puck.nether.net/mailman/listinfo/voiceops