VoIP industry attacks

rubberducky

Member
Aug 30, 2017
31
3
8
35
I know this has been going on for a while now, but I'm a late comer to this party.
So what I've been suffering from over here is two fold:
Massive ddos attack that overwhelms our fail2ban causing mass deregs.
Non stop call floods.

What are some of the ways to counter these issues?
 

Adrian Fretwell

Active Member
Aug 13, 2017
991
244
43
The Federation of Communications Services (UK based) put a bulletin out about this a few weeks ago. If you are a member they have offered to look at logs etc with a view to getting the attackers closed down.

DDOS can be tricky to deal with especially if you are on the end of a limited bandwidth circuit, most people can only firewall at their end of the circuit so even if fail2ban blocks the attack, your circuit bandwidth is still consumed by inbound packets. Your service provider may be able to block at their end and thus protect your bandwidth - most good ones do.
 
  • Like
Reactions: rubberducky

bcmike

Active Member
Jun 7, 2018
281
45
28
50
If you're small (as in you don't have your own blocks) , you are going to have to rely on your upstream provider to head off most of the volumetric stuff. If practical you may also want to switch to a deny all posture and only allow a whitelist of known clients, although this is easier said than done in most cases. Another tactic might be to employ geo blocking, as in block everything from certain geographic locations that you know you are not serving.

Fail2ban can become cpu intensive if its getting slammed but a few well crafted iptables rules might help as iptables is more efficient.

I'm not an expert, just my .02
 
Jul 15, 2021
97
7
8
31
Change your default port for a starter, as an experiment, I ran a server on an obscure IP which has no domain registration on random ports and exposed only TLS - no one tried to connect, as soon as I switched it to run on default port with TCP/UDP, I could see IP's from Hongkong, registered to a East european VOIP consultancy trying to place calls randomly.
 
  • Like
Reactions: bcmike

Adrian Fretwell

Active Member
Aug 13, 2017
991
244
43
@fusionpbxnoaudio I do agree with you, an obscure port does reduce the amount of attempted connections, in fact just switching to TCP can make a difference. However I have never been a fan of "security by obfuscation" - some malicious entity will find you eventually!

I employ a tactic similar to @bcmike on my direct SIP platform; using iptables, I allow a maximum of 10 packets within a given time period, after that the IP is blocked unless an accept rule is added as a consequence of a successful registration.
 
  • Like
Reactions: bcmike