VoIP DDoS – Fail to Prepare…

 

By Simon Woodhead

There’s a scenario that has kept me awake at night for getting on a decade. Regular readers will know this because I’ve banged on and on about it. It underlies the scale and expense of our network, and explains what we’ve asked customers to do time and again. It is, of course, DDoS against VoIP infrastructure.

As you may have seen in the news or elsewhere, this scenario is playing out now with two UK VoIP providers (as Jocko – you may recall Jocko from the SimCon3 opening – would say) ‘getting some’! We’ve offered our support and we hold one of them in quite high regard. We wish them both well in addressing this and we can probably all learn something from their status posts here and here

Defending any volumetric attack requires bandwidth, shed-loads of bandwidth. We maintain hundreds of Gb/s of capacity at our edge, not because we process millions of concurrent calls, but because we need this head-room to sink an attack on-net. We’ve also spent a small fortune on DDoS mitigation equipment in the past (now retired), offered services and more recently retained services ensuring we have an escalation path. Yet, it still keeps me awake at night.

What I hope we have made clear to customers and indeed to Ofcom, is that routing critical wholesale voice traffic over the public Internet is really dumb at many many levels. Sure, it is possible and easy, but so is chainsawing off your own feet. Public internet (or transit) is generally where you’ll see the volume in a DDoS but the more points of ingress you have, the more knobs you have to dial down. If you only have transit, you only have one pipe to fill and one knob to control it.

Instead, we strive to have as much traffic delivered directly into the network, ideally over private interconnect or public peering and only 10% of our traffic comes over what we’d call public internet or transit. That isn’t to say though that what we consider private is totally immune, e.g. where we have private peering with your co-lo or transit provider and another customer of theirs is attacked. There’s no substitute for a physical interconnect in multiple sites as we also described three years ago in our reference architecture.

We stand ready to ‘get some’ but have no way of knowing whether all the preparation will make a difference. There’s a good chance it won’t, because a volumetric DDoS is one thing, but a targeted attack against SIP infrastructure is altogether different, not least because attack traffic looks so much like legitimate traffic. 

In this circumstance we’ll do everything we can to mitigate on-net (as we have done in the past), invoke external mitigation specialists who’ve been on-standby for years, and do everything we can to protect the network. Beyond this, we will protect the network by closing connectivity down from the outside in. This means that if you connect to us privately, are on-net, or use Simwood connectivity, you’ll be under the shell as it were. If, on the other hand, you rely on the Internet to reach us at the wholesale level and haven’t heeded our warnings over the years, then you may see disruption, but we think we’ve given you ample warning over the years. 

If this sounds pushy or unreasonable, please keep in mind that those who have said nothing and don’t tell you this, don’t do so because they’ve found the silver bullet in their years of preparation and non-investment. On the contrary, we know there are far softer targets than Simwood, they just haven’t told you about their position and planning because they don’t have any. They’ve found time and money to charge you surcharges though!

For those who choose to act, there is still time to organise cross-connects (we have LINX PI too so can have that patched same day) or private peering sessions. Please speak to our sales ninjas to organise.

Lastly, we do also have a plan B to try to help those who still refuse to help themselves, but please please don’t rely on it as an excuse to do nothing. If it works out, it’ll be communicated privately when required but we’re making no promises. In case it isn’t clear from this and past posts, we will always protect the network and those who have acted, first and foremost.

Stay safe and if you’re unlucky enough to be attacked, let us know and we’ll help where we can.