nanog mailing list archives
RE: [EXTERNAL] VoIP Provider DDoSes
From: Brian Turnbow via NANOG <nanog () nanog org>
Date: Wed, 22 Sep 2021 07:58:25 +0000
Hi
Something you may want to consider is to put ACLs as far upstream as possible from your SBCs and only allow through what you need to the SBCs. For example, apply a filter only permitting UDP 5060 and your RTP port range to your SBCs and then blocking everything else. This is free and should stop a lot of >common DDoS attacks before they ever get to your SBCs. Even better if you can get your upstream ISP to apply the ACL. DDoS attack traffic should be dropped as close to the source as possible.
Yes Attacks on voip have become more prevalent unfortunately. Another thing to consider is blocking fragments , which have been a major factor in the attacks I have seen in sip. But to do this you need to make sure that you are not exceeding mtu length in Invites, or block fragments only from untrusted IPs. Brian
Current thread:
- Re: [EXTERNAL] VoIP Provider DDoSes Compton, Rich A (Sep 21)
- Re: [EXTERNAL] VoIP Provider DDoSes Mike Hammett (Sep 21)
- Re: [EXTERNAL] VoIP Provider DDoSes Compton, Rich A (Sep 21)
- RE: [EXTERNAL] VoIP Provider DDoSes Brian Turnbow via NANOG (Sep 22)
- Re: [EXTERNAL] VoIP Provider DDoSes Compton, Rich A (Sep 21)
- Re: [EXTERNAL] VoIP Provider DDoSes Mike Hammett (Sep 21)