dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12
share rss forum feed

borntochill

join:2003-02-09
united state

1 recommendation

reply to Davesnothere

Re: DDOS Attacks - Is Any VoIPP More Immune ?

There are effective mitigation systems against sophisticated DDoS attacks. For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

CallCentric's protracted outage should be a wake-up call for all VSPs. It's not just an inconvenience; it's a matter of public safety. Not everyone has a charged cell phone at the ready and if a 911 call doesn't complete in an emergency, it can cost lives.

If certain VSPs have deployed more robust anti-DDoS measures, I'd like to hear from them here.



Arne Bolen
Happy Anveo customer
Premium
join:2009-06-21
Planet Earth
kudos:4
Reviews:
·voip.ms
·callwithus
·Callcentric

1 edit

1 recommendation

said by borntochill:

For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

Would be difficult to offer free calls between customers and low price to/from PSTN.

said by borntochill:

CallCentric's protracted outage should be a wake-up call for all VSPs. It's not just an inconvenience; it's a matter of public safety.

For many people free or extreme low price is more important than public safety.

said by borntochill:

If certain VSPs have deployed more robust anti-DDoS measures, I'd like to hear from them here.

There are many such VSPs. ISPs offering voip probably use a closed network for SIP device registrations, thus more difficult to take out with DDoS.
--
My VoIP News

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to borntochill

said by borntochill:

There are effective mitigation systems against sophisticated DDoS attacks. For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

CallCentric's protracted outage should be a wake-up call for all VSPs. It's not just an inconvenience; it's a matter of public safety. Not everyone has a charged cell phone at the ready and if a 911 call doesn't complete in an emergency, it can cost lives.

If certain VSPs have deployed more robust anti-DDoS measures, I'd like to hear from them here.

All that traffic still has to be dumped somewhere. So yes upstream filtering but your ISP may charge a ton if it saturates too much of even their stream.

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to Arne Bolen

Closed network and not BYOD may help. But then you do not get to BYOD.



Arne Bolen
Happy Anveo customer
Premium
join:2009-06-21
Planet Earth
kudos:4
Reviews:
·voip.ms
·callwithus
·Callcentric

said by nonymous:

Closed network and not BYOD may help. But then you do not get to BYOD.

That is of course a disadvantage, but maybe the competition will make ISP voip providers to understand BYOD.
--
My VoIP News

borntochill

join:2003-02-09
united state
reply to Arne Bolen

said by Arne Bolen:

said by borntochill:

For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

Would be difficult to offer free calls between customers and low price to/from PSTN.

Do you know that for sure, or is that a guess?

Let's suppose a VSP has 50,000 customers and it costs $50,000/year extra for a robust DDoS mitigation service. That's an extra $1/year per customer. Or let's go further and say it costs $600,000/year extra with the same number of customers. That's an extra $1/month per customer. And yes, I'm reaching for numbers myself, because I don't have personal experience deploying such systems. Regardless, if these numbers are in the ballpark, for my own clients I can say with some certainty that they'd be more than willing to pay either amount extra to not endure future protracted DDoS outages like the one that afflicted CallCentric. I can also say with some certainty that it will be difficult or impossible to persuade some of my clients to stay with any VSP that suffers more than one outage like this. It could be ruinous to their business. I'm glad I have backup providers, but it nevertheless requires my intervention.
said by Arne Bolen:

said by borntochill:

If certain VSPs have deployed more robust anti-DDoS measures, I'd like to hear from them here.

There are many such VSPs. ISPs offering voip probably use a closed network for SIP device registrations, thus more difficult to take out with DDoS.

I should have clarified: BYOD VSPs.

OmagicQ
Posting in a thread near you

join:2003-10-23
Bakersfield, CA
kudos:1
Reviews:
·Bright House

We forget that this happens on POTS also, just that in those cases its all the people trying to make calls after a major disaster like an earthquake or something that ties up all the circuits.
--
...Who, What, When, Where, How... Why? Why Not?


PX Eliezer7
Premium
join:2008-08-09
Hutt River
kudos:13
Reviews:
·callwithus
·voip.ms

1 recommendation

reply to borntochill

You raise good points.

My understanding is that the costs are even higher than you considered.

But here are some problems that I see:

1) How well can these DDoS mitigation services actually prevent the super-massive attacks?

By all accounts, MANY providers have been fending off these attacks on a constant basis.

When it comes to the super-massive attack (imagine Charlie Sheen's reaction if you rear-end his car) it may be that these DDoS mitigation services add little or nothing.

2) If a VoIPP publicizes that it is using a DDoS mitigation service, it becomes more of a target.

3) If a VoIPP keeps it confidential to avoid becoming more of a target and to enhance the safety of their security program, then customers won't know to preferentially choose them. And the VoIPP will suffer as competitors will charge less.

These problems can be surmounted, I am just saying that it is difficult.

------------------------------

I bet that in upcoming months some providers may offer more options of service, security, and support levels. It's a natural evolution.



Arne Bolen
Happy Anveo customer
Premium
join:2009-06-21
Planet Earth
kudos:4
Reviews:
·voip.ms
·callwithus
·Callcentric
reply to borntochill

said by borntochill:

said by Arne Bolen:

said by borntochill:

For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

Would be difficult to offer free calls between customers and low price to/from PSTN.

Do you know that for sure, or is that a guess?

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services.
--
My VoIP News


Davesnothere
No-BHELL-ity DOES have its Advantages
Premium
join:2009-06-15
START Today!
kudos:7

said by Arne Bolen:

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services.

 
Put lots of trailing zeroes after the decimal point.

THAT'll impress 'em !


Arne Bolen
Happy Anveo customer
Premium
join:2009-06-21
Planet Earth
kudos:4
Reviews:
·voip.ms
·callwithus
·Callcentric

said by Davesnothere:

said by Arne Bolen:

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services.

 
Put lots of trailing zeroes after the decimal point.

THAT'll impress 'em !

said by Davesnothere:

said by Arne Bolen:

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services.

 
Put lots of trailing zeroes after the decimal point.

THAT'll impress 'em !

You are right. The whopping high amount is:
$0.0000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000

Verisign will give their best service for such large amount...
--
My VoIP News

borntochill

join:2003-02-09
united state

1 edit
reply to PX Eliezer7

Those are all good points and good questions, ones unlikely to occupy much mental space for most residential VoIP end-users looking for a dial tone on the cheep (or for free). However, they preoccupy those of us who must put out fires for others when things go south. I have a colleague in a fortune 500 enterprise who I think has been directly involved in DDoS preparedness and I'll bend his ear next time I see him.

In this forum there are frequent posts touting the importance of DNS SRV bypass in choosing a VSP and I do not doubt its value. However, I've set up the majority of my clients on a VSP without it and in the year-and-a-half with that outfit, there's been under a handful of hours of reported issues with the server they're on, more importantly, zero perceived outages from my clients' perspective. Conversely, I put one client on CallCentric because of their stellar reputation for uptime and DNS SRV bypass support, and then ironically experience this multi-day outage. I intend no criticism of CallCentric in mentioning this. The same attack could just as easily happen to any of their competitors, and already has to a few.

What I'm saying is that the spate of sophisticated DDoS attacks against VSPs and their serious impact on end users leave me more inclined to prioritize DDoS protection than, say, DNS SRV. I acknowledge the dilemmas you mention about how, and how much, information providers should share about DDos defenses, but we need some ability to evaluate the relative investment in DDoS preparedness among VSPs all the same.


nitzan
Premium,VIP
join:2008-02-27
kudos:7

1 recommendation

reply to nonymous

said by nonymous:

said by borntochill:

There are effective mitigation systems against sophisticated DDoS attacks. For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

All that traffic still has to be dumped somewhere. So yes upstream filtering but your ISP may charge a ton if it saturates too much of even their stream.

You guys are thinking regular DDOS attacks - at least in this case it wasn't a regular attack. CallCentric's "pipes" haven't been clogged - it's the registration servers that became overloaded. This has nothing to do with bandwidth or lack thereof.

The only ways to mitigate this attack are to deploy more secure code and/or deploy more/bigger registration servers. To put it to an example, lets say you have a registration server big enough to handle 1000 registrations a second - if a few servers send 10000 requests a second at it it'll choke - but it's relatively easy to fix by just blocking them. But if 600,000 servers (botnet) send one request a minute the effect is the same, yet incredibly hard to block. There are other ways to make this even harder to block, but I don't want to give the bad guys more ideas.

So bottom line: bigger servers + better code = less susceptible to registrar DDOS.

borntochill

join:2003-02-09
united state

said by nitzan:

You guys are thinking regular DDOS attacks - at least in this case it wasn't a regular attack. CallCentric's "pipes" haven't been clogged - it's the registration servers that became overloaded. This has nothing to do with bandwidth or lack thereof.

Thanks for the heads up. I hadn't more than quickly perused the CC outage thread so was unaware of this info.

All the same, it's helpful to know which VSPs are investing resources and being proactive in protecting their systems. Since there are DDoS vulnerabilities unique to VoIP, is there a working group sharing information to help providers stay up-to-date on the latest threats, and, if so, who is actively participating?

This sort of information needn't be cloak-and-dagger.