dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
26

Arne Bolen
User of Anveo Direct, 3CX and Qubes OS.
Premium Member
join:2009-06-21
Utopia

1 edit

1 recommendation

Arne Bolen to borntochill

Premium Member

to borntochill

Re: DDOS Attacks - Is Any VoIPP More Immune ?

said by borntochill:

For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

Would be difficult to offer free calls between customers and low price to/from PSTN.
said by borntochill:

CallCentric's protracted outage should be a wake-up call for all VSPs. It's not just an inconvenience; it's a matter of public safety.

For many people free or extreme low price is more important than public safety.
said by borntochill:

If certain VSPs have deployed more robust anti-DDoS measures, I'd like to hear from them here.

There are many such VSPs. ISPs offering voip probably use a closed network for SIP device registrations, thus more difficult to take out with DDoS.
nonymous (banned)
join:2003-09-08
Glendale, AZ

nonymous (banned)

Member

Closed network and not BYOD may help. But then you do not get to BYOD.

Arne Bolen
User of Anveo Direct, 3CX and Qubes OS.
Premium Member
join:2009-06-21
Utopia

Arne Bolen

Premium Member

said by nonymous:

Closed network and not BYOD may help. But then you do not get to BYOD.

That is of course a disadvantage, but maybe the competition will make ISP voip providers to understand BYOD.
borntochill
join:2003-02-09
united state

borntochill to Arne Bolen

Member

to Arne Bolen
said by Arne Bolen:

said by borntochill:

For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

Would be difficult to offer free calls between customers and low price to/from PSTN.

Do you know that for sure, or is that a guess?

Let's suppose a VSP has 50,000 customers and it costs $50,000/year extra for a robust DDoS mitigation service. That's an extra $1/year per customer. Or let's go further and say it costs $600,000/year extra with the same number of customers. That's an extra $1/month per customer. And yes, I'm reaching for numbers myself, because I don't have personal experience deploying such systems. Regardless, if these numbers are in the ballpark, for my own clients I can say with some certainty that they'd be more than willing to pay either amount extra to not endure future protracted DDoS outages like the one that afflicted CallCentric. I can also say with some certainty that it will be difficult or impossible to persuade some of my clients to stay with any VSP that suffers more than one outage like this. It could be ruinous to their business. I'm glad I have backup providers, but it nevertheless requires my intervention.
said by Arne Bolen:

said by borntochill:

If certain VSPs have deployed more robust anti-DDoS measures, I'd like to hear from them here.

There are many such VSPs. ISPs offering voip probably use a closed network for SIP device registrations, thus more difficult to take out with DDoS.

I should have clarified: BYOD VSPs.
OmagicQ
Posting in a thread near you
join:2003-10-23
Bakersfield, CA

OmagicQ

Member

We forget that this happens on POTS also, just that in those cases its all the people trying to make calls after a major disaster like an earthquake or something that ties up all the circuits.
PX Eliezer704
Premium Member
join:2008-08-09
Hutt River

1 recommendation

PX Eliezer704 to borntochill

Premium Member

to borntochill
You raise good points.

My understanding is that the costs are even higher than you considered.

But here are some problems that I see:

1) How well can these DDoS mitigation services actually prevent the super-massive attacks?

By all accounts, MANY providers have been fending off these attacks on a constant basis.

When it comes to the super-massive attack (imagine Charlie Sheen's reaction if you rear-end his car) it may be that these DDoS mitigation services add little or nothing.

2) If a VoIPP publicizes that it is using a DDoS mitigation service, it becomes more of a target.

3) If a VoIPP keeps it confidential to avoid becoming more of a target and to enhance the safety of their security program, then customers won't know to preferentially choose them. And the VoIPP will suffer as competitors will charge less.

These problems can be surmounted, I am just saying that it is difficult.

------------------------------

I bet that in upcoming months some providers may offer more options of service, security, and support levels. It's a natural evolution.

Arne Bolen
User of Anveo Direct, 3CX and Qubes OS.
Premium Member
join:2009-06-21
Utopia

Arne Bolen to borntochill

Premium Member

to borntochill
said by borntochill:

said by Arne Bolen:

said by borntochill:

For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

Would be difficult to offer free calls between customers and low price to/from PSTN.

Do you know that for sure, or is that a guess?

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere

Premium Member

said by Arne Bolen:

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services.

 
Put lots of trailing zeroes after the decimal point.

THAT'll impress 'em !

Arne Bolen
User of Anveo Direct, 3CX and Qubes OS.
Premium Member
join:2009-06-21
Utopia

Arne Bolen

Premium Member

said by Davesnothere:

said by Arne Bolen:

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services.

 
Put lots of trailing zeroes after the decimal point.

THAT'll impress 'em !

said by Davesnothere:

said by Arne Bolen:

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services.

 
Put lots of trailing zeroes after the decimal point.

THAT'll impress 'em !

You are right. The whopping high amount is:
$0.0000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000

Verisign will give their best service for such large amount...
borntochill
join:2003-02-09
united state

1 edit

borntochill to PX Eliezer704

Member

to PX Eliezer704
Those are all good points and good questions, ones unlikely to occupy much mental space for most residential VoIP end-users looking for a dial tone on the cheep (or for free). However, they preoccupy those of us who must put out fires for others when things go south. I have a colleague in a fortune 500 enterprise who I think has been directly involved in DDoS preparedness and I'll bend his ear next time I see him.

In this forum there are frequent posts touting the importance of DNS SRV bypass in choosing a VSP and I do not doubt its value. However, I've set up the majority of my clients on a VSP without it and in the year-and-a-half with that outfit, there's been under a handful of hours of reported issues with the server they're on, more importantly, zero perceived outages from my clients' perspective. Conversely, I put one client on CallCentric because of their stellar reputation for uptime and DNS SRV bypass support, and then ironically experience this multi-day outage. I intend no criticism of CallCentric in mentioning this. The same attack could just as easily happen to any of their competitors, and already has to a few.

What I'm saying is that the spate of sophisticated DDoS attacks against VSPs and their serious impact on end users leave me more inclined to prioritize DDoS protection than, say, DNS SRV. I acknowledge the dilemmas you mention about how, and how much, information providers should share about DDos defenses, but we need some ability to evaluate the relative investment in DDoS preparedness among VSPs all the same.