dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4867
share rss forum feed


Davesnothere
No-BHELL-ity DOES have its Advantages
Premium
join:2009-06-15
START Today!
kudos:7

4 edits

DDoS Attacks, Is Any VoIPP Less Susceptable ?

 
{Quoted from the CallCentric DDOS thread, page 16 »CallCentric tech issues today? }

said by Mango:

Though we can do little more than speculate, I'd be very interested to know if the same attacker caused the problems with both Anveo and Callcentric.

If so, who is next ?

 
Interesting question.

I was considering starting another thread about that next week, and to pose the question regarding which (if any) VoIP provider's topology and infrastructure might allow them to better endure/repel being 'next', but I guess I'm doing it now.

Since VOIP.MS is so frequently compared to CallCentric on DSLR, let's consider them first.

One regularly mentioned fundamental difference between them and CallCentric is that VOIP.MS has multiple servers (POPs) and WE get to choose one when we config our ATA, but they do not support DNS SRV like CallCentric and some others do, and not doing so is a factor which many folks say is a disadvantage.

My first question would be :

Would VOIP.MS be better off or not with their multiple servers and POPs (each has its own IP address) in such an attack as CC has so recently experienced ? (and is still experiencing)

Would they be a harder target to effectively hit and bring down ?

Without all of their the eggs in one basket, would a hacker have to have more BOTs/Zombies to cover all of the VOIP.MS's SIP servers, and would he/she have to engineer/coordinate/execute a more complex plan in order to do it ?

--

We have only 2 things about which to worry :
(1) That things may never get back to normal
(2) That they already HAVE !
-
START Forum »Start Communications
Or you can still use Canadian Broadband.


a1computers

join:2012-10-06
Pasadena, CA

Re: DDOS Attacks - Is Any VoIPP More Immune ?

Not entirely sure what CC's infrastructure is but I do know they have 5 alternative ip's. during the assualt each ip would register for about a min. or 2 in 3CX. It is a scary question to wonder what the next service could be that goes down.

grand total

join:2005-10-26
Mississauga
kudos:2
Reviews:
·VMedia
·Anveo
said by a1computers:

Not entirely sure what CC's infrastructure is but I do know they have 5 alternative ip's.

How do you know that? Their DNS SRV record indicates nine.
--
DPC3825 - WRT610N - Panasonic KX-TGP500 - Asterisk 1.8.11.0 with Asterisk GUI on Virtual Server
Anveo - Voxbeam - Localphone - Numbergroup - Callcentric - VoIP.MS - UKDDI

nitzan
Premium,VIP
join:2008-02-27
kudos:8

1 recommendation

reply to Davesnothere
If person or group have access to a botnet or other means that can bring a provider down - attacking one server or 10 servers would be about the same. So the answer is no- there is no such thing as immunity from DDOS. There are things you can do such as having a ton of bandwidth, strong and secure servers, etc. - but complete immunity is impossible.


Arne Bolen
Happy Anveo customer
Premium
join:2009-06-21
Cyberspace
kudos:4
Reviews:
·Anveo
·voip.ms
reply to Davesnothere
said by Davesnothere:

to pose the question regarding which (if any) VoIP provider's topology and infrastructure might allow them to better endure/repel being 'next',

In theory it is possible for a provider to be less vulnerable to DDoS attacks. But most residential customers would be very unhappy.

For incoming calls:

• Customers are not allowed to register a SIP device or a softphone.

• Incoming calls can only be forwarded to a SIP address or a PSTN number

Forwarding of Callcentric inbound calls to a SIP address has been working very well during this attack, not a single missed call.

For outgoing calls:

• Customers are not allowed to register a SIP device or a softphone.

• Outgoing calls can only be set up to a SIP address or a PSTN number using a Click 2 Dial feature.

Without SIP device/softphone registration it would be a lot more difficult to launch a successful DDoS attack on a provider.

But as long as we are stuck with IPv4 this solution will not work for most residential users.
--
My VoIP News

PX Eliezer70
Premium
join:2008-08-09
Hutt River
kudos:13
Reviews:
·callwithus
·voip.ms
Arne, does IPv6 help this problem?

---------------------------------

Although getting to the promised land of IPv6 may require both:

a) Another Moses.
b) Another 40 years in the desert.

The US government has badly missed their own deadline last week for IPv6 on their websites.
»www.zdnet.com/us-government-gets···0005055/


Arne Bolen
Happy Anveo customer
Premium
join:2009-06-21
Cyberspace
kudos:4
Reviews:
·Anveo
·voip.ms
said by PX Eliezer70:

Arne, does IPv6 help this problem?

With IPv6 it's likely the customer will have a unique static public IP address for his SIP device, thus avoiding NAT issues.
--
My VoIP News

borntochill

join:2003-02-09
united state

1 recommendation

reply to Davesnothere
There are effective mitigation systems against sophisticated DDoS attacks. For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

CallCentric's protracted outage should be a wake-up call for all VSPs. It's not just an inconvenience; it's a matter of public safety. Not everyone has a charged cell phone at the ready and if a 911 call doesn't complete in an emergency, it can cost lives.

If certain VSPs have deployed more robust anti-DDoS measures, I'd like to hear from them here.


Arne Bolen
Happy Anveo customer
Premium
join:2009-06-21
Cyberspace
kudos:4
Reviews:
·Anveo
·voip.ms

1 edit

1 recommendation

said by borntochill:

For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

Would be difficult to offer free calls between customers and low price to/from PSTN.

said by borntochill:

CallCentric's protracted outage should be a wake-up call for all VSPs. It's not just an inconvenience; it's a matter of public safety.

For many people free or extreme low price is more important than public safety.

said by borntochill:

If certain VSPs have deployed more robust anti-DDoS measures, I'd like to hear from them here.

There are many such VSPs. ISPs offering voip probably use a closed network for SIP device registrations, thus more difficult to take out with DDoS.
--
My VoIP News


Davesnothere
No-BHELL-ity DOES have its Advantages
Premium
join:2009-06-15
START Today!
kudos:7

4 edits
reply to Davesnothere
 
I have re-titled the thread 'Less Susceptable' rather than 'More Immune', as I was not looking for total immunity, just better armour.

So the concensus so far is THIS ? :

(1) It doesn't matter that VOIP.MS has these multiple SIP-servers/POPs, as a hacker would 'just' have to target several IP addresses instead of one to bring down that provider ? - And doing so would not require significantly more resources ?

VOIP.MS is not very much 'Less Susceptable' to this sort of attack, if the attacker would have enough experience in that sort of activity ?

(2) VoIPPs who use a 'closed' or private network would be 'Less Susceptable' to this stuff ? - Would this include the current Cablecos, or Vonage or MagicJerk ?

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to borntochill
said by borntochill:

There are effective mitigation systems against sophisticated DDoS attacks. For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

CallCentric's protracted outage should be a wake-up call for all VSPs. It's not just an inconvenience; it's a matter of public safety. Not everyone has a charged cell phone at the ready and if a 911 call doesn't complete in an emergency, it can cost lives.

If certain VSPs have deployed more robust anti-DDoS measures, I'd like to hear from them here.

All that traffic still has to be dumped somewhere. So yes upstream filtering but your ISP may charge a ton if it saturates too much of even their stream.

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to Arne Bolen
Closed network and not BYOD may help. But then you do not get to BYOD.


Arne Bolen
Happy Anveo customer
Premium
join:2009-06-21
Cyberspace
kudos:4
Reviews:
·Anveo
·voip.ms
said by nonymous:

Closed network and not BYOD may help. But then you do not get to BYOD.

That is of course a disadvantage, but maybe the competition will make ISP voip providers to understand BYOD.
--
My VoIP News

borntochill

join:2003-02-09
united state
reply to Arne Bolen
said by Arne Bolen:

said by borntochill:

For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

Would be difficult to offer free calls between customers and low price to/from PSTN.

Do you know that for sure, or is that a guess?

Let's suppose a VSP has 50,000 customers and it costs $50,000/year extra for a robust DDoS mitigation service. That's an extra $1/year per customer. Or let's go further and say it costs $600,000/year extra with the same number of customers. That's an extra $1/month per customer. And yes, I'm reaching for numbers myself, because I don't have personal experience deploying such systems. Regardless, if these numbers are in the ballpark, for my own clients I can say with some certainty that they'd be more than willing to pay either amount extra to not endure future protracted DDoS outages like the one that afflicted CallCentric. I can also say with some certainty that it will be difficult or impossible to persuade some of my clients to stay with any VSP that suffers more than one outage like this. It could be ruinous to their business. I'm glad I have backup providers, but it nevertheless requires my intervention.
said by Arne Bolen:

said by borntochill:

If certain VSPs have deployed more robust anti-DDoS measures, I'd like to hear from them here.

There are many such VSPs. ISPs offering voip probably use a closed network for SIP device registrations, thus more difficult to take out with DDoS.

I should have clarified: BYOD VSPs.

OmagicQ
Posting in a thread near you

join:2003-10-23
Bakersfield, CA
kudos:1
We forget that this happens on POTS also, just that in those cases its all the people trying to make calls after a major disaster like an earthquake or something that ties up all the circuits.
--
...Who, What, When, Where, How... Why? Why Not?

PX Eliezer70
Premium
join:2008-08-09
Hutt River
kudos:13
Reviews:
·callwithus
·voip.ms

1 recommendation

reply to borntochill
You raise good points.

My understanding is that the costs are even higher than you considered.

But here are some problems that I see:

1) How well can these DDoS mitigation services actually prevent the super-massive attacks?

By all accounts, MANY providers have been fending off these attacks on a constant basis.

When it comes to the super-massive attack (imagine Charlie Sheen's reaction if you rear-end his car) it may be that these DDoS mitigation services add little or nothing.

2) If a VoIPP publicizes that it is using a DDoS mitigation service, it becomes more of a target.

3) If a VoIPP keeps it confidential to avoid becoming more of a target and to enhance the safety of their security program, then customers won't know to preferentially choose them. And the VoIPP will suffer as competitors will charge less.

These problems can be surmounted, I am just saying that it is difficult.

------------------------------

I bet that in upcoming months some providers may offer more options of service, security, and support levels. It's a natural evolution.


Arne Bolen
Happy Anveo customer
Premium
join:2009-06-21
Cyberspace
kudos:4
Reviews:
·Anveo
·voip.ms
reply to borntochill
said by borntochill:

said by Arne Bolen:

said by borntochill:

For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

Would be difficult to offer free calls between customers and low price to/from PSTN.

Do you know that for sure, or is that a guess?

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services.
--
My VoIP News


Davesnothere
No-BHELL-ity DOES have its Advantages
Premium
join:2009-06-15
START Today!
kudos:7
said by Arne Bolen:

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services.

 
Put lots of trailing zeroes after the decimal point.

THAT'll impress 'em !


Arne Bolen
Happy Anveo customer
Premium
join:2009-06-21
Cyberspace
kudos:4
Reviews:
·Anveo
·voip.ms
said by Davesnothere:

said by Arne Bolen:

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services.

 
Put lots of trailing zeroes after the decimal point.

THAT'll impress 'em !

said by Davesnothere:

said by Arne Bolen:

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services.

 
Put lots of trailing zeroes after the decimal point.

THAT'll impress 'em !

You are right. The whopping high amount is:
$0.0000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000

Verisign will give their best service for such large amount...
--
My VoIP News

borntochill

join:2003-02-09
united state

1 edit
reply to PX Eliezer70
Those are all good points and good questions, ones unlikely to occupy much mental space for most residential VoIP end-users looking for a dial tone on the cheep (or for free). However, they preoccupy those of us who must put out fires for others when things go south. I have a colleague in a fortune 500 enterprise who I think has been directly involved in DDoS preparedness and I'll bend his ear next time I see him.

In this forum there are frequent posts touting the importance of DNS SRV bypass in choosing a VSP and I do not doubt its value. However, I've set up the majority of my clients on a VSP without it and in the year-and-a-half with that outfit, there's been under a handful of hours of reported issues with the server they're on, more importantly, zero perceived outages from my clients' perspective. Conversely, I put one client on CallCentric because of their stellar reputation for uptime and DNS SRV bypass support, and then ironically experience this multi-day outage. I intend no criticism of CallCentric in mentioning this. The same attack could just as easily happen to any of their competitors, and already has to a few.

What I'm saying is that the spate of sophisticated DDoS attacks against VSPs and their serious impact on end users leave me more inclined to prioritize DDoS protection than, say, DNS SRV. I acknowledge the dilemmas you mention about how, and how much, information providers should share about DDos defenses, but we need some ability to evaluate the relative investment in DDoS preparedness among VSPs all the same.

nitzan
Premium,VIP
join:2008-02-27
kudos:8

1 recommendation

reply to nonymous
said by nonymous:

said by borntochill:

There are effective mitigation systems against sophisticated DDoS attacks. For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

All that traffic still has to be dumped somewhere. So yes upstream filtering but your ISP may charge a ton if it saturates too much of even their stream.

You guys are thinking regular DDOS attacks - at least in this case it wasn't a regular attack. CallCentric's "pipes" haven't been clogged - it's the registration servers that became overloaded. This has nothing to do with bandwidth or lack thereof.

The only ways to mitigate this attack are to deploy more secure code and/or deploy more/bigger registration servers. To put it to an example, lets say you have a registration server big enough to handle 1000 registrations a second - if a few servers send 10000 requests a second at it it'll choke - but it's relatively easy to fix by just blocking them. But if 600,000 servers (botnet) send one request a minute the effect is the same, yet incredibly hard to block. There are other ways to make this even harder to block, but I don't want to give the bad guys more ideas.

So bottom line: bigger servers + better code = less susceptible to registrar DDOS.

borntochill

join:2003-02-09
united state
said by nitzan:

You guys are thinking regular DDOS attacks - at least in this case it wasn't a regular attack. CallCentric's "pipes" haven't been clogged - it's the registration servers that became overloaded. This has nothing to do with bandwidth or lack thereof.

Thanks for the heads up. I hadn't more than quickly perused the CC outage thread so was unaware of this info.

All the same, it's helpful to know which VSPs are investing resources and being proactive in protecting their systems. Since there are DDoS vulnerabilities unique to VoIP, is there a working group sharing information to help providers stay up-to-date on the latest threats, and, if so, who is actively participating?

This sort of information needn't be cloak-and-dagger.


VexorgTR

join:2012-08-27
Sheffield Lake, OH
kudos:1
Reviews:
·voip.ms
reply to Davesnothere

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

I think just about anyone could get "skunked" by a DDoS, provided that there's a big enough attack base.

The Plus side is that CC wasn't totally smashed... the calls could be re-routed to mobile for the 2 days. Despite that it "Beat Up" CallCentric... it technically didn't take it out. The website, and the call routing worked the whole time.

grand total

join:2005-10-26
Mississauga
kudos:2
Reviews:
·VMedia
·Anveo

1 recommendation

said by VexorgTR:

The Plus side is that CC wasn't totally smashed... the calls could be re-routed to mobile for the 2 days. Despite that it "Beat Up" CallCentric... it technically didn't take it out. The website, and the call routing worked the whole time.

I tried to reroute calls to another SIP URI, but testing showed that the calls were not being forwarded. I don't think I was alone in that. All attempts at outgoing calls failed too.

This was a massive attack and to pretend it was anything other than successful does not help anybody.
--
DPC3825 - WRT610N - Panasonic KX-TGP500 - Asterisk 1.8.11.0 with Asterisk GUI on Virtual Server
Anveo - Voxbeam - Localphone - Numbergroup - Callcentric - VoIP.MS - UKDDI

engineerdan

join:2006-12-07
Manassas, VA
said by grand total:

I tried to reroute calls to another SIP URI, but testing showed that the calls were not being forwarded. I don't think I was alone in that.

Without meaning to sound argumentative, you may wish to double check your initial findings.

Our effort to reroute calls for thirteen different DIDs under six different Callcentric accounts was ultimately 100% successful. However, it didn't work at first try.

Without successful SIP registrations, SIP traffic from Callcentric was initially being blocked by our firewall, as it had been programmed to do. Until we opened ports 5060 and 5080 to UDP traffic from Callcentric's IP addresses, initial testing of SIP URI forwarding failed. The calls were being forwarded by Callcentric but being rejected by our equipment.


Trimline
Premium
join:2004-10-24
Windermere, FL
Reviews:
·ObiVoice
·Bright House
·Callcentric
·voip.ms
said by engineerdan:

said by grand total:

I tried to reroute calls to another SIP URI, but testing showed that the calls were not being forwarded. I don't think I was alone in that.

Without meaning to sound argumentative, you may wish to double check your initial findings.

Our effort to reroute calls for thirteen different DIDs under six different Callcentric accounts was ultimately 100% successful. However, it didn't work at first try.

Without successful SIP registrations, SIP traffic from Callcentric was initially being blocked by our firewall, as it had been programmed to do. Until we opened ports 5060 and 5080 to UDP traffic from Callcentric's IP addresses, initial testing of SIP URI forwarding failed. The calls were being forwarded by Callcentric but being rejected by our equipment.

SIP URI forwarding worked yesterday, but is not today for me. The one call that did make it through had no audio, otherwise, dead air is heard on SIP forwarded calls. Sigh.

grand total

join:2005-10-26
Mississauga
kudos:2
Reviews:
·VMedia
·Anveo
reply to engineerdan
said by engineerdan:

said by grand total:

I tried to reroute calls to another SIP URI, but testing showed that the calls were not being forwarded. I don't think I was alone in that.

Without meaning to sound argumentative, you may wish to double check your initial findings.

No problem. I forwarded to another SIP server with an open port 5010 (Anveo). Calls were not being forwarded.
--
DPC3825 - WRT610N - Panasonic KX-TGP500 - Asterisk 1.8.11.0 with Asterisk GUI on Virtual Server
Anveo - Voxbeam - Localphone - Numbergroup - Callcentric - VoIP.MS - UKDDI

garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
said by grand total:

said by engineerdan:

said by grand total:

I tried to reroute calls to another SIP URI, but testing showed that the calls were not being forwarded. I don't think I was alone in that.

Without meaning to sound argumentative, you may wish to double check your initial findings.

No problem. I forwarded to another SIP server with an open port 5010 (Anveo). Calls were not being forwarded.

That was exactly what I was hoping to try last night (sip forward to Anveo) but went to bed, instead. I guess it wouldn't have been successful, then.


Trimline
Premium
join:2004-10-24
Windermere, FL
Reviews:
·ObiVoice
·Bright House
·Callcentric
·voip.ms
reply to grand total
said by grand total:

said by engineerdan:

said by grand total:

I tried to reroute calls to another SIP URI, but testing showed that the calls were not being forwarded. I don't think I was alone in that.

Without meaning to sound argumentative, you may wish to double check your initial findings.

No problem. I forwarded to another SIP server with an open port 5010 (Anveo). Calls were not being forwarded.

Try forwarding to a DID directly. I just tried, and it seemed to work. Let us know your results.

garys_2k
Premium
join:2004-05-07
Farmington, MI
As of last night that didn't work for me. My next step would have been to try SIP forwarding, but per grand total's experience, there was no guarantee that would work, either.