nanog mailing list archives
RE: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours
From: Drew Weaver <drew.weaver () thenap com>
Date: Mon, 20 Jul 2015 16:12:18 +0000
Ah, alright. I've seen the "general" amplification attacks SNMP/DNS/NTP/you name it, plenty but this is the first one I've ever seen one that targeted 1720/5060 and as its mitigated in one place it keeps moving from dst to dst fairly rapidly until none of the dst ips are available. -----Original Message----- From: Jared Mauch [mailto:jared () puck nether net] Sent: Monday, July 20, 2015 12:06 PM To: Drew Weaver <drew.weaver () thenap com> Cc: nanog () nanog org Subject: Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours I’m sure this is just the extension of all the UDP amplification attacks that are ongoing. My experience is that 1720/CUCM should not be connected to a public network as those devices are often not well maintained or patched. If it’s of value I can look at adding this to the set of things that are enumerated as part of the general UDP amplification problems that we continue to face due to the lack of SAV. - Jared
On Jul 20, 2015, at 11:57 AM, Drew Weaver <drew.weaver () thenap com> wrote: Has anyone else seen a massive amount of illegitimate UDP 1720 traffic coming from China being sent towards IP addresses which provide VoIP services? I'm talking in the 20-30Gbps range? The first incident was yesterday at around 13:00 EST, the second incident was today at 09:00 EST. I'm assuming this is just another DDoS like all others, but I would be interested to hear if I am not the only one seeing this. On list or off-list is fine. Thanks, -Drew
Current thread:
- 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Drew Weaver (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Jared Mauch (Jul 20)
- RE: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Drew Weaver (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Roland Dobbins (Jul 20)
- RE: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Drew Weaver (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Colin Johnston (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Valdis . Kletnieks (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Bryan Tong (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Colin Johnston (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Valdis . Kletnieks (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Colin Johnston (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Valdis . Kletnieks (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Colin Johnston (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Valdis . Kletnieks (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Valdis . Kletnieks (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Jared Mauch (Jul 20)