Mailing List Archive

Simwood's blog has a few articles from the past couple weeks with
commentary on the attacks to voip providers in the UK.
https://blog.simwood.com/2021/09/voip-ddos-fail-to-prepare/

On Tue, Sep 21, 2021 at 2:31 PM Mike Hammett <nanog@ics-il.net> wrote:

> As many may know, a particular VoIP supplier is suffering a DDoS.
> https://twitter.com/voipms
>
> Are your garden variety DDoS mitigation platforms or services equipped to
> handle DDoSes of VoIP services? What nuances does one have to be cognizant
> of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>

Unlike http based services which can be placed behind cloudflare or
similar, harder to protect sip trunking servers.

The provider in question makes use of third party hosting services for each
of their cities' POPs. It is my understanding that for the most part they
do not run their own infrastructure but either rent dedicated servers or a
few rack units of Colo in each city.

I question whether some or any of those hosting companies have sufficient
inbound (200-400Gbps) capacity to weather a moderately sized DDoS.



On Tue, Sep 21, 2021, 5:30 PM Mike Hammett <nanog@ics-il.net> wrote:

> As many may know, a particular VoIP supplier is suffering a DDoS.
> https://twitter.com/voipms
>
> Are your garden variety DDoS mitigation platforms or services equipped to
> handle DDoSes of VoIP services? What nuances does one have to be cognizant
> of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>

On 9/21/21 4:09 PM, Eric Kuhnke wrote:
> Unlike http based services which can be placed behind cloudflare or
> similar, harder to protect sip trunking servers.
>
> The provider in question makes use of third party hosting services for
> each of their cities' POPs. It is my understanding that for the most
> part they do not run their own infrastructure but either rent
> dedicated servers or a few rack units of Colo in each city.
>
> I question whether some or any of those hosting companies have
> sufficient inbound (200-400Gbps) capacity to weather a moderately
> sized DDoS.
>
Which makes SIPoHTTP an inevitability.

Mike

Never heard of that one. WebRTC is maybe easier to protect from DDOS?

Brandon

> On Sep 21, 2021, at 5:37 PM, Michael Thomas <mike@mtcc.com> wrote:
>
> Which makes SIPoHTTP an inevitability.
>
> Mike

On 9/21/21 6:46 PM, Brandon Svec via NANOG wrote:
> Never heard of that one. WebRTC is maybe easier to protect from DDOS?

I was just kidding/2. But webrtc don't have a signaling protocol. It can
be SIP but it can be completely home brewed too.

Mike


>
> Brandon
>
>> On Sep 21, 2021, at 5:37 PM, Michael Thomas <mike@mtcc.com> wrote:
>>
>> Which makes SIPoHTTP an inevitability.
>>
>> Mike

Brandon,

Actually, i work for a company that just purchased a start up that deals
with DDOS for WebRTC, Websockets and grpc.

Mike,

I could see that, especially since HTTP 3.0 is UDP.

On Tue, Sep 21, 2021 at 9:47 PM Brandon Svec via NANOG <nanog@nanog.org>
wrote:

> Never heard of that one. WebRTC is maybe easier to protect from DDOS?
>
> Brandon
>
> > On Sep 21, 2021, at 5:37 PM, Michael Thomas <mike@mtcc.com> wrote:
> >
> > Which makes SIPoHTTP an inevitability.
> >
> > Mike
>

Well, I suppose it depends on the type of DDoS.


Some of their sites are hosted with large outfits like Softlayer and Hivelocity. Yeah, some others are a lot smaller.




-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

----- Original Message -----

From: "Eric Kuhnke" <eric.kuhnke@gmail.com>
To: "Mike Hammett" <nanog@ics-il.net>
Cc: "NANOG" <nanog@nanog.org>
Sent: Tuesday, September 21, 2021 6:09:07 PM
Subject: Re: VoIP Provider DDoSes


Unlike http based services which can be placed behind cloudflare or similar, harder to protect sip trunking servers.


The provider in question makes use of third party hosting services for each of their cities' POPs. It is my understanding that for the most part they do not run their own infrastructure but either rent dedicated servers or a few rack units of Colo in each city.


I question whether some or any of those hosting companies have sufficient inbound (200-400Gbps) capacity to weather a moderately sized DDoS.






On Tue, Sep 21, 2021, 5:30 PM Mike Hammett < nanog@ics-il.net > wrote:




As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms


Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.




-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

https://twit.tv/shows/security-now/episodes/837?autostart=false




It looks like Security Now covered this yesterday. They claimed that, "There is currently no provider of large pipe VoIP protocol DDoS protection."


Are any of the cloud DDoS mitigation services offering a service like this.

----- Original Message -----

From: "Mike Hammett" <nanog@ics-il.net>
To: "NANOG" <nanog@nanog.org>
Sent: Tuesday, September 21, 2021 4:19:42 PM
Subject: VoIP Provider DDoSes


As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms


Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.




-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

Fail2Ban and give ourselves a pat on the back..

On Wed, Sep 22, 2021 at 9:12 AM Mike Hammett <nanog@ics-il.net> wrote:

> https://twit.tv/shows/security-now/episodes/837?autostart=false
>
>
> It looks like Security Now covered this yesterday. They claimed that,
> "There is currently no provider of large pipe VoIP protocol DDoS
> protection."
>
> Are any of the cloud DDoS mitigation services offering a service like this.
>
> ------------------------------
> *From: *"Mike Hammett" <nanog@ics-il.net>
> *To: *"NANOG" <nanog@nanog.org>
> *Sent: *Tuesday, September 21, 2021 4:19:42 PM
> *Subject: *VoIP Provider DDoSes
>
> As many may know, a particular VoIP supplier is suffering a DDoS.
> https://twitter.com/voipms
>
> Are your garden variety DDoS mitigation platforms or services equipped to
> handle DDoSes of VoIP services? What nuances does one have to be cognizant
> of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
>

Fail2Ban on a couple of dozen servers may not be sufficient to address 400 gigs of traffic.




-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

----- Original Message -----

From: "Terrance Devor" <ter.devor@gmail.com>
To: "Mike Hammett" <nanog@ics-il.net>
Cc: "NANOG" <nanog@nanog.org>
Sent: Wednesday, September 22, 2021 10:24:07 AM
Subject: Re: VoIP Provider DDoSes


Fail2Ban and give ourselves a pat on the back..


On Wed, Sep 22, 2021 at 9:12 AM Mike Hammett < nanog@ics-il.net > wrote:




https://twit.tv/shows/security-now/episodes/837?autostart=false




It looks like Security Now covered this yesterday. They claimed that, "There is currently no provider of large pipe VoIP protocol DDoS protection."


Are any of the cloud DDoS mitigation services offering a service like this.



From: "Mike Hammett" < nanog@ics-il.net >
To: "NANOG" < nanog@nanog.org >
Sent: Tuesday, September 21, 2021 4:19:42 PM
Subject: VoIP Provider DDoSes


As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms


Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.




-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

On Wed, Sep 22, 2021 at 11:27 AM Mike Hammett <nanog@ics-il.net> wrote:

> Fail2Ban on a couple of dozen servers may not be sufficient to address 400
> gigs of traffic.
>
>
<you own me a keyboard>

Also, also.. keep in mind that 'fail2ban' does some processing on the log
messages to which it MAY take action.
It's taking, essentially, untrusted external input and ... acting as 'root'.

that sounds like a recipe for a disaster, to me... is the code utf-8 safe?
are the actions it takes safe in the context of whatever PTR record content
may come down the pipe? or apache(equivalent) log message parsing?

<shudder>


>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> ------------------------------
> *From: *"Terrance Devor" <ter.devor@gmail.com>
> *To: *"Mike Hammett" <nanog@ics-il.net>
> *Cc: *"NANOG" <nanog@nanog.org>
> *Sent: *Wednesday, September 22, 2021 10:24:07 AM
> *Subject: *Re: VoIP Provider DDoSes
>
> Fail2Ban and give ourselves a pat on the back..
>
> On Wed, Sep 22, 2021 at 9:12 AM Mike Hammett <nanog@ics-il.net> wrote:
>
>> https://twit.tv/shows/security-now/episodes/837?autostart=false
>>
>>
>> It looks like Security Now covered this yesterday. They claimed that,
>> "There is currently no provider of large pipe VoIP protocol DDoS
>> protection."
>>
>> Are any of the cloud DDoS mitigation services offering a service like
>> this.
>>
>> ------------------------------
>> *From: *"Mike Hammett" <nanog@ics-il.net>
>> *To: *"NANOG" <nanog@nanog.org>
>> *Sent: *Tuesday, September 21, 2021 4:19:42 PM
>> *Subject: *VoIP Provider DDoSes
>>
>> As many may know, a particular VoIP supplier is suffering a DDoS.
>> https://twitter.com/voipms
>>
>> Are your garden variety DDoS mitigation platforms or services equipped to
>> handle DDoSes of VoIP services? What nuances does one have to be cognizant
>> of? A WAF doesn't mean much to SIP, IAX2, RTP, etc.
>>
>>
>>
>> -----
>> Mike Hammett
>> Intelligent Computing Solutions
>> http://www.ics-il.com
>>
>> Midwest-IX
>> http://www.midwest-ix.com
>>
>>
>