Topic 'Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?' in forum 'VOIP Tech Chat' - dslreports.com

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Wed, 28 Nov 2012 01:30:21 EDT

Davesnothere posted :
So based on all of THAT :

DoS is when the waiter cuts you off after you've had enough to drink.

And DDoS is when ALL of the waiters in ALL of the bars won't serve you anymore that night, because they tweet each other about who's been cut off.

:D

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Tue, 27 Nov 2012 18:00:48 EDT

PX Eliezer posted :

said by nonymous:

So which voip providers are giving away free beer? Plus what brands and quality of beer? ;)

Local-Foam has the cheap stuff, a penny an ounce.

Magic-AppleJack has a low annual rate for all the moonshine you can drink, and worth every penny you've paid.

Fall With Us has a very potent product at a good price, but is not for beginners.

"Amtel" POTS has Amstel in a pot.

Voip.MS has Canadian Molson (the MS is for MolSon).

Future Two (often called F2) has "Dos Equis".

CallCentric of course has Clamato Chelada.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Tue, 27 Nov 2012 17:08:11 EDT

nonymous posted :

said by steelman:

Regarding the free part, please treat 'freely' as in freedom of use, not as in free beer,

Too late my limited mind has already seen only the free beer in the sentence. So which voip providers are giving away free beer? Plus what brands and quality of beer? ;)

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Tue, 27 Nov 2012 15:58:55 EDT

pquesinb posted : Interesting.... not a bad-looking website but it's kind of slow so you might want to look into a faster web host.

I'm curious, what platform are you using for call routing? An open-source offering like Asterisk or FreeSWITCH or are you using a commercial offering? How long have you been using/working with this platform?

I can sort of relate to where you are, my background is similar although it includes hardware design (not particularly relevant to providing VoIP services) in addition to software (mostly firmware) development, a lot of network/IT and telecom. I started using VoIP in my own business for a few years and then began hosting business telephone services for a few select clients. I've been providing services for others for about a year now and am still learning. I've learned a lot in the past year, so much in fact that I see certain things much more clearly than before. One of the things that has become incredibly clear as a result of this knowledge that I have attained is that I still have much to learn.

I can tell you that hosting for other businesses is far different than providing service for your own business, especially when it comes to serving remote endpoints behind NAT firewalls and attempting to avoid proxying/"tromboning" media across your network by sending it directly between endpoints and/or between endpoints and the PSTN. There are numerous other goodies in store, as well.

As a result, I've held off launching any sort of website offering VoIP services so far, at least until I feel worthy. When I feel worthy, I'll probably have my head examined.

Don't get me wrong, I don't know where you are experience-wise and in launching your service and I'm certainly not trying to discourage you, I just thought I'd share my experience so far. I wish you luck.

It's not as easy as it looks.

- Phil

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Tue, 27 Nov 2012 11:59:41 EDT

steelman posted : There's plans to make the website »www.freelycall.com/ much better, but for now, a stable and redundant solution is the priority. I'm willing to give a month worth of try-outs for the US unlimited plan for early bird subscribers in return of feedback :)

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Tue, 27 Nov 2012 11:53:21 EDT

steelman posted : The difference between what I'm proposing and a publicly licensed and registered company is that the service is still young and I can shape it based on the feedback I will get. I do come from a software and telco background, and have been using and learning VoIP for some good time. Yes, no SLAs yet, but for instance, I'm developing a redundant solution hosted in 5 countries around the globe (currently targetting: Turkey, Germany, UK, US, Canada), so that if a hurricane hits the US coast or power breaks down in Vancouver data center, the service would not go down, taking advantage of DNS SRV, and a DNS server which I fully control.
Regarding the free part, please treat 'freely' as in freedom of use, not as in free beer, except for free internal calls, DIDs and conferencing. I do need though funds to be able to terminate calls around the world, and I believe that when doing something worthy, money is not the main issue. People who just want a free service can use google voice, which works pretty nice, but when you want to have more features (built-in faxing, byod, resellers, n-way conferencing, custom codecs, cheap rates, phone support, worldwide DIDs), you would be OK to pay for it.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Tue, 27 Nov 2012 10:34:44 EDT

PX Eliezer posted : You [do] have a pretty website though, and it is dated 2012.

That will impress some people. :hmm:

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Tue, 27 Nov 2012 10:31:09 EDT

PX Eliezer posted :

said by steelman:

Additionally, there's no proof that these issues won't reoccur....

....Since many of my colleagues are around the world, I can freely call internally, and register with ipkall for free DIDs, so that people from other networks can call me....

I made my service publicly accessible too....

So rather than trust CallCentric or another publicly licensed and registered company, the public should trust the combination of [anonymous you] and [IPKall]?!

And your "freely call" service is certainly far from free for PSTN calls, I see that you charge $ 20 a month for US/Canadian calling.
»www.freelycall.com/products-page···limited/

said by steelman:

Additionally, there's no proof that these issues won't reoccur....

OK. What is YOUR backup plan and SLA?

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Tue, 27 Nov 2012 09:56:10 EDT

steelman posted : My business couldn't wait for callcentric issue to be solved.
Additionally, there's no proof that these issues won't reoccur. However, that helped me in making an important decision. Running my own SIP server. Since many of my colleagues are around the world, I can freely call internally, and register with ipkall for free DIDs, so that people from other networks can call me. I made my service publicly accessible too

»www.freelycall.com/
Snapped 2012-11-27 09:54:40

so hopefully more users will find it useful in the future.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Sun, 28 Oct 2012 12:15:00 EDT

hszeto posted : Instead of counting on a single or two VSP(s), we employ diversification strategy. We have utilized VoIP especially those free offers for business for more than a decade. We always give customers more than one DID, have simultaneously ringing both IP phones and mobile phones either by Voxox or Google Voice. Some DIDs are registered to server while others are forwarded via SIP URI or forward via iNum. As a result, we virtually do not have complete outage. After all the cost just for mobile phones, and we are moving to republic wireless now to further utilize VoIP and minimize mobile phone toll.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Thu, 18 Oct 2012 02:22:16 EDT

Davesworld posted : Multiple servers set for a provider only work if the provider has different domained servers to enter into the blanks and each domain points to a different server (they don't have to). This is for failover. For example, voip.ms's seattle server goes down and my connection picks up the la server upon registration failure since I have it set to use la as the second choice. It also helps if your equipment has the homing feature where the first choice is homed back to when it is available again unless you don't care which is used.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Thu, 18 Oct 2012 00:43:27 EDT

Davesnothere posted :
Somebody posted a day or two ago - not sure exactly where, prob'ly in the omnibus CallCentric thread - that some or all OBI ATAs let you specify multiple SIP servers for each VoIP provider, and gave examples of how - apparently it's explained in the OBI user manuals.

It got me to thinking....

If every VoIP USER were to get an OBI ATA and use that feature rather than DNS SRV (where the DNS SERVER record automatically moves you to an alternate SIP server), would that make it more difficult for an attacker to overload a SIP server, since the specified server would then not necessarily be sending its excess load to the next server in the farm ?

It would seem to be an alternate and less vulnerable way to make a provider's multiple SIP servers failover to each other, but controlled by each legitimate USER's ATA, rather than by functionality which may (e.g. CallCentric, Anveo) or may not (e.g. VOIP.MS) be available at the provider's end of things.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Fri, 12 Oct 2012 16:46:25 EDT

VexorgTR posted : I wonder if the name BeeThink has anything to do with the Honeypot concept for server security.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Fri, 12 Oct 2012 15:45:01 EDT

pquesinb posted :

said by Trimline:

said by OZO:

said by pquesinb:

Fail2Ban is a good way of mitigating such attacks w/FS

Not if you use FS on Windows platform (like e.g. I do).

I use, and recommend Bee Think IP blocker on Windows. You can create your white list and sleep soundly. This really works well. More info here : »www.beethink.com/

Hadn't heard of that one but it sounds good. Peerguardian 2 and PeerBlock are FOSS IP-blocking programs.

- Phil

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Fri, 12 Oct 2012 11:27:22 EDT

Trimline posted :

said by OZO:

said by pquesinb:

Fail2Ban is a good way of mitigating such attacks w/FS

Not if you use FS on Windows platform (like e.g. I do).

I use, and recommend Bee Think IP blocker on Windows. You can create your white list and sleep soundly. This really works well. More info here : »www.beethink.com/

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Thu, 11 Oct 2012 17:49:59 EDT

OZO posted :

said by pquesinb:

Fail2Ban is a good way of mitigating such attacks w/FS

Not if you use FS on Windows platform (like e.g. I do).

Of course one must also keep in mind that these are volunteers and we're not paying them to work on the free software they're providing. Still, decent documentation doesn't really seem like too much to ask if they're truly serious about the project... especially if they don't want to answer questions about it.

I've seen many, many free projects that don't exhibit that problem. This case is a big exception in my experience though... And I completely agree with you. Any common sense dictates that if you don't want to answer simple questions coming again and again form different people (many could be new to this project) - make simple answers in help pages and don't be rude, when you see someone try to ask it nevertheless... We all are people, you know...

Getting back to the issue of DDoS attacks, when the scanners like SipVicious or botnets, etc. are making registration attempts, do most of the SIP servers like FS close the network connection on an unsuccessful attempt (send an RST, etc.), forcing the scanner to open a new connection with each attempt or are they able to just keep scanning without re-opening the connection each time?

Usually SIP communications are made using UTP (connectionless protocol). But in any case, it's obvious if the same host tries to register many different users during a limited time, it should signal an attack. Stop responding for a couple of minutes. If then it tries do to the same - just block it and log the offending host for further investigation... It's very simple, but nevertheless extremely effective approach.

If the servers dump the connection on each failed attempt, that would make it much easier to deal with the attack from the firewall side, by implementing rate limiting and blacklisting after so many failed attempts per second, minute, etc.

Agree with you. The only problem here, developers should realize that it is security problem and not point on users - "it's your problem, not ours..." and ignore it all.
--
Keep it simple, it'll become complex by itself...

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Thu, 11 Oct 2012 15:42:47 EDT

pquesinb posted :

said by OZO:

One more thing to add here:

I think susceptibility to DDoS attacks depends on the software used and overall design structure deployed.

From small personal experience of running FreeSWITCH under DDoS I may assure you that FS is not prepared for reacting on DDoS at all. When I pointed that out to FS developers, I was faced back with arrogance - "it's your problem, not ours. Use system provided protection mechanisms if you need to do the job"...

Fail2Ban is a good way of mitigating such attacks w/FS but I have to agree with you overall. I'm really excited about the potential of FreeSWITCH but it's getting harder and harder to get help on their forum with even relatively simple issues or questions about things which are documented poorly, or not at all. I'm seeing more and more folks with seemingly worthwhile questions just being ignored, especially when it relates to functionality that would be relatively easy to implement and extremely helpful to many but that the developers just don't feel like adding in. Your experience seems to confirm that observation.

Of course one must also keep in mind that these are volunteers and we're not paying them to work on the free software they're providing. Still, decent documentation doesn't really seem like too much to ask if they're truly serious about the project... especially if they don't want to answer questions about it.

Getting back to the issue of DDoS attacks, when the scanners like SipVicious or botnets, etc. are making registration attempts, do most of the SIP servers like FS close the network connection on an unsuccessful attempt (send an RST, etc.), forcing the scanner to open a new connection with each attempt or are they able to just keep scanning without re-opening the connection each time?

If the servers dump the connection on each failed attempt, that would make it much easier to deal with the attack from the firewall side, by implementing rate limiting and blacklisting after so many failed attempts per second, minute, etc.

- Phil

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Thu, 11 Oct 2012 14:14:57 EDT

VexorgTR posted : Thanks for the info... sometimes this stuff can feel like...

tl;dr but I'll try and get through it all when i have a moment.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Thu, 11 Oct 2012 07:36:24 EDT

Arne Bolen posted :

said by »www.sipoutbound.com/faq#what-is-···-and-rtp :

SIP (Session Initiation Protocol) handles the signaling part of a communication over the Internet and helps in establishing calls between end-users. RTP (Real Time Protocol), at the other hand, carries multimedia packets (audio, video, instant messaging...) being transferred between calling parties once the call is established.

SIP and RTP together to allow VoIP calls to take place. In general, SIP signaling involves an intermediate agent called SIP Proxy – a server reachable on a public address – which knows both parties locations and helps them to find one another, while RTP packets are meant to travel either directly between the two calling agents or via a media proxy.

said by »www.sipoutbound.com/faq#what-is-···nd-proxy :

A SIP Outbound Proxy acts, like any proxy server, as a middleman between two communicating agents, serving as a transit point for all SIP traffic. You configure your SIP client to use the SIP Outbound Proxy server just as you would configure your web browser to use a proxy. Listening on an unblocked port number and forwarding requests between your SIP client and your VoIP provider, it helps bypassing the restrictions imposed by your Internet provider.

said by »www.smartvox.co.uk/sipfaq_outbou···ined.htm :

Outbound Proxy Server
When you look at the configuration options on most IP phones, you will see a field called "Outbound Proxy" or "Outbound Proxy Server". In this field you can enter an IP address, a host.domain name or just a domain name (as long as it can be resolved to an IP address in DNS). It is an optional field, but if you enter a value then all future SIP requests get sent there in the first instance. If you leave it blank, then the routing of SIP requests will depend mainly on the SIP address given in the R-URI field of the request's header - see the section "what happens if an Outbound Proxy Server is not specified" below for details.

said by »www.smartvox.co.uk/sipfaq_outbou···ined.htm :

What is the function of a SIP Outbound Proxy Server?
When the IP phone makes an outbound call, it sends an INVITE request. If your IP phone is configured to use an outbound proxy server, then the INVITE is sent there. The request could be handled within that proxy server or be forwarded to another proxy server or gateway. The user credentials would normally be checked, especially if the call needs to break out onto the PSTN or incurs toll charges in any way.

On most IP phones, if a valid entry is given for the "outbound proxy server" field, then it causes every type of SIP request from the phone to be sent to that address (albeit this behaviour would only apply to one SIP account at a time on a multi-line phone). This would mean that even a REGISTER request that might otherwise have gone directly to the registrar server, would have to go via the outbound proxy server. In this case, the outbound proxy server would be able to block the request or forward it to the correct registrar server depending on its own internal rules. In this role, the outbound proxy server is acting as a centrally managed security barrier and, in combination with appropriate firewall rules, it could be given a role similar to that of a web proxy in a corporate network environment.

--
My VoIP News

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Thu, 11 Oct 2012 06:03:44 EDT

nitzan posted : Outbound proxy has nothing to do with audio proxying. :)

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Wed, 10 Oct 2012 21:44:34 EDT

VexorgTR posted : Ok, fair enough. I likely got it mixed up... some of my ATA's in my stash have an outbound proxy setting, some lack this setting entirely. Perhaps I'm just a bit fuzzy on what all the settings really mean.

Admittedly, my job is to put the settings the way the directions say to. :D

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Wed, 10 Oct 2012 20:51:43 EDT

OZO posted : Your ATA is a SIP client. And therefore it doesn't know / doesn't care if it's connected to a proxy RTP server or not. It simply gets IP:port for RTP stream from SDP part of every INVITE message that SIP server sends to it. SIP server is the manager, which organizes the way how to connect media streams, not the SIP client...
--
Keep it simple, it'll become complex by itself...

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Wed, 10 Oct 2012 20:33:28 EDT

VexorgTR posted : My ATA does not support Proxy audio.... yet it works with CallCentric. Thus, I would say your audio does not have to be using proxy.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Wed, 10 Oct 2012 16:17:28 EDT

gweidenh posted :

said by nitzan:

AFAIK CallCentric, as well as almost all large retail providers, proxy all audio. There are excellent business and technical reasons to do so, but I won't get into them here.

Please start a new thread and list off some of the key reasons. I for one avoid providers that proxy the audio.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Wed, 10 Oct 2012 16:06:32 EDT

nitzan posted :

said by OZO:

I guess (and it's just a guess here) - direct media mode (when RTP stream goes directly between customers and not through VSP servers) may mitigate the problem. Especially for SIP-SIP communications (which will eventually replace the old POTS lines). AFAIK, VoIP.ms doesn't provide it so far. Not sure about CallCentric though...

AFAIK CallCentric, as well as almost all large retail providers, proxy all audio. There are excellent business and technical reasons to do so, but I won't get into them here.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Wed, 10 Oct 2012 15:18:25 EDT

willcarter posted : This callcentric attack has caused severe down time for many of my close competitors/friends. I just today have joined some new forums to find out what others are doing and how susceptible my provider is to a DDos attack. I use Flowroute due to the influx of LNPs I originally needed to import. If you have not checked out their service do so before jumping into a new provider.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Wed, 10 Oct 2012 01:42:40 EDT

OZO posted : Thanks for sharing that example. It just shows that some development teams want to improve their product, while others have obvious attitude problems, that makes them blind to any suggestions... The latter I saw a lot with FreeSWITCH development. They keep old bugs opened indefinitely without any attempt to fix... not to mention implementing new functions, that will benefit everyone.

Security of the SIP switch (always opened to public access) is very serious issue to ignore...

So, I'd suggest, look at SIP messages sent by your VSP and particularly at its "User-Agent" line and if it says "FreeSWITCH" don't be surprised if at some point of time it will go down and you'll not have any service at all due to some DDoS attack... (which could happen at any time, BTW).
--
Keep it simple, it'll become complex by itself...

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Wed, 10 Oct 2012 01:24:10 EDT

VexorgTR posted : Having CC forward calls to a DID of some sort, Mobile or Other VOIP carrier worked just fine.

Again, I did all my forwarding to DID's.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Wed, 10 Oct 2012 01:12:58 EDT

tanzam75 posted :

said by OZO:

When I pointed that out to FS developers, I was faced back with arrogance - "it's your problem, not ours. Use system provided protection mechanisms if you need to do the job". But I think they're dead wrong. FS can easily recognize the beginning of the attack by a simple analysis of the SIP incoming traffic...

Your suggestion sounds like the approach that 3cx takes:

quote:
»www.3cx.com/blog/voip-articles/3···-attack/

3CX Premium Partner, Charles Ambrosecchia of Sigma Networks, reports that their Network Operations Center was the subject of an intense attack from an IP Address inside Germany for 17 continuous hours, with data rates peaking at over 5Mbps to a single 3CX Phone System installation.

Charles stated that 3CX Phone System performed admirably by rejecting the initial attempts at registration with incorrect forged credentials (essentially a brute force attack). Shortly thereafter, 3CX Phone System automatically classified the source of the attack as a potentially malignant entity and added it to its dynamic blacklist.

3cx is a commercial company. So they have a direct monetary incentive to solve their users' practical problems, rather than to be arrogant about it and treat it as an abstract problem.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Mon, 08 Oct 2012 17:35:00 EDT

OZO posted : One more thing to add here:

I think susceptibility to DDoS attacks depends on the software used and overall design structure deployed.

From small personal experience of running FreeSWITCH under DDoS I may assure you that FS is not prepared for reacting on DDoS at all. When I pointed that out to FS developers, I was faced back with arrogance - "it's your problem, not ours. Use system provided protection mechanisms if you need to do the job". But I think they're dead wrong. FS can easily recognize the beginning of the attack by a simple analysis of the SIP incoming traffic... Example? Common SIP clients don't try to send REGISTER requests with 50 different names changed alphabetically within 1 sec. There are obvious patterns of attacks, that SIP server could recognize almost immediately and stop responding to them, ... if they are designed with that problem in mind. In my case, FS tried to reply to all requests and eventually put the whole server down after depleting its system memory during several hours of hard (and completely unnecessary) work.

Which SIP server is used by CallCentric? I hope it's not FreeSWITCH.
How are they prepared to that event and what do they particularly do to mitigate that?
--
Keep it simple, it'll become complex by itself...

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Mon, 08 Oct 2012 16:51:21 EDT

OZO posted : I guess (and it's just a guess here) - direct media mode (when RTP stream goes directly between customers and not through VSP servers) may mitigate the problem. Especially for SIP-SIP communications (which will eventually replace the old POTS lines). AFAIK, VoIP.ms doesn't provide it so far. Not sure about CallCentric though...
--
Keep it simple, it'll become complex by itself...

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Mon, 08 Oct 2012 16:28:55 EDT

grand total posted :

said by engineerdan:

Callcentric's FAQ (here and pasted below for your reference) indicates that the recipient of the SIP URI forward needs to permit traffic on ports 5060-5080, not just 5010. Might that have something to do with it?

NOTE: In general ports 5060-5080 should be allowed in order to properly communicate with the Callcentric servers. Users experiencing audio issues may want to check that RTP audio is not blocked by their firewall configuration.

Callcentric does not care what port I forward to, but that port should be expecting SIP traffic. In Anveo's case port 5010 definitely is open and expecting SIP traffic.

You seem unable to accept that SIP URI forwarding did not work, but I can assure you it did not. (I have not tried today, and won't until all this mess is fixed).
--
DPC3825 - WRT610N - Panasonic KX-TGP500 - Asterisk 1.8.11.0 with Asterisk GUI on Virtual Server
Anveo - Voxbeam - Localphone - Numbergroup - Callcentric - VoIP.MS - UKDDI

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Mon, 08 Oct 2012 14:11:58 EDT

engineerdan posted :

said by grand total:

No problem. I forwarded to another SIP server with an open port 5010 (Anveo). Calls were not being forwarded.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Mon, 08 Oct 2012 11:04:23 EDT

garys_2k posted : As of last night that didn't work for me. My next step would have been to try SIP forwarding, but per grand total's experience, there was no guarantee that would work, either.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Mon, 08 Oct 2012 10:47:34 EDT

Trimline posted :

said by grand total:

said by engineerdan:

said by grand total:

I tried to reroute calls to another SIP URI, but testing showed that the calls were not being forwarded. I don't think I was alone in that.

Without meaning to sound argumentative, you may wish to double check your initial findings.

No problem. I forwarded to another SIP server with an open port 5010 (Anveo). Calls were not being forwarded.

Try forwarding to a DID directly. I just tried, and it seemed to work. Let us know your results.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Mon, 08 Oct 2012 10:37:40 EDT

garys_2k posted :

said by grand total:

said by engineerdan:

said by grand total:

I tried to reroute calls to another SIP URI, but testing showed that the calls were not being forwarded. I don't think I was alone in that.

Without meaning to sound argumentative, you may wish to double check your initial findings.

No problem. I forwarded to another SIP server with an open port 5010 (Anveo). Calls were not being forwarded.

That was exactly what I was hoping to try last night (sip forward to Anveo) but went to bed, instead. I guess it wouldn't have been successful, then.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Mon, 08 Oct 2012 10:23:31 EDT

grand total posted :

said by engineerdan:

said by grand total:

I tried to reroute calls to another SIP URI, but testing showed that the calls were not being forwarded. I don't think I was alone in that.

Without meaning to sound argumentative, you may wish to double check your initial findings.

No problem. I forwarded to another SIP server with an open port 5010 (Anveo). Calls were not being forwarded.
--
DPC3825 - WRT610N - Panasonic KX-TGP500 - Asterisk 1.8.11.0 with Asterisk GUI on Virtual Server
Anveo - Voxbeam - Localphone - Numbergroup - Callcentric - VoIP.MS - UKDDI

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Mon, 08 Oct 2012 10:05:44 EDT

Trimline posted :

said by engineerdan:

said by grand total:

I tried to reroute calls to another SIP URI, but testing showed that the calls were not being forwarded. I don't think I was alone in that.

Without meaning to sound argumentative, you may wish to double check your initial findings.

Our effort to reroute calls for thirteen different DIDs under six different Callcentric accounts was ultimately 100% successful. However, it didn't work at first try.

Without successful SIP registrations, SIP traffic from Callcentric was initially being blocked by our firewall, as it had been programmed to do. Until we opened ports 5060 and 5080 to UDP traffic from Callcentric's IP addresses, initial testing of SIP URI forwarding failed. The calls were being forwarded by Callcentric but being rejected by our equipment.

SIP URI forwarding worked yesterday, but is not today for me. The one call that did make it through had no audio, otherwise, dead air is heard on SIP forwarded calls. Sigh.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Mon, 08 Oct 2012 09:52:01 EDT

engineerdan posted :

said by grand total:

I tried to reroute calls to another SIP URI, but testing showed that the calls were not being forwarded. I don't think I was alone in that.

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Mon, 08 Oct 2012 08:57:28 EDT

grand total posted :

said by VexorgTR:

The Plus side is that CC wasn't totally smashed... the calls could be re-routed to mobile for the 2 days. Despite that it "Beat Up" CallCentric... it technically didn't take it out. The website, and the call routing worked the whole time.

I tried to reroute calls to another SIP URI, but testing showed that the calls were not being forwarded. I don't think I was alone in that. All attempts at outgoing calls failed too.

This was a massive attack and to pretend it was anything other than successful does not help anybody.
--
DPC3825 - WRT610N - Panasonic KX-TGP500 - Asterisk 1.8.11.0 with Asterisk GUI on Virtual Server
Anveo - Voxbeam - Localphone - Numbergroup - Callcentric - VoIP.MS - UKDDI

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

Sun, 07 Oct 2012 23:07:36 EDT

VexorgTR posted : I think just about anyone could get "skunked" by a DDoS, provided that there's a big enough attack base.

The Plus side is that CC wasn't totally smashed... the calls could be re-routed to mobile for the 2 days. Despite that it "Beat Up" CallCentric... it technically didn't take it out. The website, and the call routing worked the whole time.

Re: DDOS Attacks - Is Any VoIPP More Immune ?

Sun, 07 Oct 2012 20:45:02 EDT

borntochill posted :

said by nitzan:

Thanks for the heads up. I hadn't more than quickly perused the CC outage thread so was unaware of this info.

All the same, it's helpful to know which VSPs are investing resources and being proactive in protecting their systems. Since there are DDoS vulnerabilities unique to VoIP, is there a working group sharing information to help providers stay up-to-date on the latest threats, and, if so, who is actively participating?

This sort of information needn't be cloak-and-dagger.

Re: DDOS Attacks - Is Any VoIPP More Immune ?

Sun, 07 Oct 2012 20:20:46 EDT

nitzan posted :

said by nonymous:

said by borntochill:

There are effective mitigation systems against sophisticated DDoS attacks. For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

All that traffic still has to be dumped somewhere. So yes upstream filtering but your ISP may charge a ton if it saturates too much of even their stream.

You guys are thinking regular DDOS attacks - at least in this case it wasn't a regular attack. CallCentric's "pipes" haven't been clogged - it's the registration servers that became overloaded. This has nothing to do with bandwidth or lack thereof.

The only ways to mitigate this attack are to deploy more secure code and/or deploy more/bigger registration servers. To put it to an example, lets say you have a registration server big enough to handle 1000 registrations a second - if a few servers send 10000 requests a second at it it'll choke - but it's relatively easy to fix by just blocking them. But if 600,000 servers (botnet) send one request a minute the effect is the same, yet incredibly hard to block. There are other ways to make this even harder to block, but I don't want to give the bad guys more ideas.

So bottom line: bigger servers + better code = less susceptible to registrar DDOS.

Re: DDOS Attacks - Is Any VoIPP More Immune ?

Sun, 07 Oct 2012 19:43:31 EDT

borntochill posted : Those are all good points and good questions, ones unlikely to occupy much mental space for most residential VoIP end-users looking for a dial tone on the cheep (or for free). However, they preoccupy those of us who must put out fires for others when things go south. I have a colleague in a fortune 500 enterprise who I think has been directly involved in DDoS preparedness and I'll bend his ear next time I see him.

In this forum there are frequent posts touting the importance of DNS SRV bypass in choosing a VSP and I do not doubt its value. However, I've set up the majority of my clients on a VSP without it and in the year-and-a-half with that outfit, there's been under a handful of hours of reported issues with the server they're on, more importantly, zero perceived outages from my clients' perspective. Conversely, I put one client on CallCentric because of their stellar reputation for uptime and DNS SRV bypass support, and then ironically experience this multi-day outage. I intend no criticism of CallCentric in mentioning this. The same attack could just as easily happen to any of their competitors, and already has to a few.

What I'm saying is that the spate of sophisticated DDoS attacks against VSPs and their serious impact on end users leave me more inclined to prioritize DDoS protection than, say, DNS SRV. I acknowledge the dilemmas you mention about how, and how much, information providers should share about DDos defenses, but we need some ability to evaluate the relative investment in DDoS preparedness among VSPs all the same.

Re: DDOS Attacks - Is Any VoIPP More Immune ?

Sun, 07 Oct 2012 17:11:13 EDT

Arne Bolen posted :

said by Davesnothere:

said by Arne Bolen:

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services. :D :D :D

Put lots of trailing zeroes after the decimal point.

THAT'll impress 'em ! :p

said by Davesnothere:

said by Arne Bolen:

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services. :D :D :D

Put lots of trailing zeroes after the decimal point.

THAT'll impress 'em ! :p

You are right. The whopping high amount is:
$0.0000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000

Verisign will give their best service for such large amount... :D :D :D
--
My VoIP News

Re: DDOS Attacks - Is Any VoIPP More Immune ?

Sun, 07 Oct 2012 17:07:30 EDT

Davesnothere posted :

said by Arne Bolen:

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services. :D :D :D

Put lots of trailing zeroes after the decimal point.

THAT'll impress 'em ! :p

Re: DDOS Attacks - Is Any VoIPP More Immune ?

Sun, 07 Oct 2012 17:05:10 EDT

Arne Bolen posted :

said by borntochill:

said by Arne Bolen:

said by borntochill:

For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.

Would be difficult to offer free calls between customers and low price to/from PSTN.

Do you know that for sure, or is that a guess?

50,000 free riders paying $0.00 extra gives the enormous extra revenue of zero. I'm sure Verisign will be happy to accept that large amount as payment for their services. :D :D :D
--
My VoIP News

Re: DDOS Attacks - Is Any VoIPP More Immune ?

Sun, 07 Oct 2012 16:57:41 EDT

PX Eliezer posted : You raise good points.

My understanding is that the costs are even higher than you considered.

But here are some problems that I see:

1) How well can these DDoS mitigation services actually prevent the super-massive attacks?

By all accounts, MANY providers have been fending off these attacks on a constant basis.

When it comes to the super-massive attack (imagine Charlie Sheen's reaction if you rear-end his car) it may be that these DDoS mitigation services add little or nothing.

2) If a VoIPP publicizes that it is using a DDoS mitigation service, it becomes more of a target.

3) If a VoIPP keeps it confidential to avoid becoming more of a target and to enhance the safety of their security program, then customers won't know to preferentially choose them. And the VoIPP will suffer as competitors will charge less.

These problems can be surmounted, I am just saying that it is difficult.

------------------------------

I bet that in upcoming months some providers may offer more options of service, security, and support levels. It's a natural evolution.

Re: DDOS Attacks - Is Any VoIPP More Immune ?

Sun, 07 Oct 2012 16:55:16 EDT

OmagicQ posted : We forget that this happens on POTS also, just that in those cases its all the people trying to make calls after a major disaster like an earthquake or something that ties up all the circuits.
--
...Who, What, When, Where, How... Why? Why Not?

Re: DDOS Attacks - Is Any VoIPP More Immune ?

Sun, 07 Oct 2012 16:20:51 EDT

borntochill posted :

said by Arne Bolen:

said by borntochill:

Would be difficult to offer free calls between customers and low price to/from PSTN.

Do you know that for sure, or is that a guess?

Let's suppose a VSP has 50,000 customers and it costs $50,000/year extra for a robust DDoS mitigation service. That's an extra $1/year per customer. Or let's go further and say it costs $600,000/year extra with the same number of customers. That's an extra $1/month per customer. And yes, I'm reaching for numbers myself, because I don't have personal experience deploying such systems. Regardless, if these numbers are in the ballpark, for my own clients I can say with some certainty that they'd be more than willing to pay either amount extra to not endure future protracted DDoS outages like the one that afflicted CallCentric. I can also say with some certainty that it will be difficult or impossible to persuade some of my clients to stay with any VSP that suffers more than one outage like this. It could be ruinous to their business. I'm glad I have backup providers, but it nevertheless requires my intervention.

said by Arne Bolen:

said by borntochill:

If certain VSPs have deployed more robust anti-DDoS measures, I'd like to hear from them here.

There are many such VSPs. ISPs offering voip probably use a closed network for SIP device registrations, thus more difficult to take out with DDoS.

I should have clarified: BYOD VSPs.