[asterisk-security] Asterisk and DoS attack: What has been done so far?
Kristian Kielhofner
kristian.kielhofner at gmail.com
Wed Jan 30 12:03:20 CST 2008
On Jan 30, 2008 10:10 AM, Jeremy Jackson <jerj at coplanar.net> wrote:
> Take a look at IKE, the Internet Key Exchange protocol used in IPSEC.
> It issues a challenge-response to weed out spoofed addresses. So, it
> has DDoS protection built in. Sadly, most legacy protocols don't. TCP
> has had RST and SYN cookies "hacked" into it, as well as MD5 preshared
> keys.
>
> The basic security flaw of the internet is the DDoS, a flood of packets
> with spoofed source addresses. I don't know of any backbone networks
> which do ingress filtering, so most of the time you need to take the
> approach of IPSEC. If your connection is filled up by the resulting
> traffic, well then you're out of luck.
>
> It is possible to mitigate a DDoS flood from "the internet", if your
> network (Autonomous System) has some non-transit peers, such as private
> peering, or public peering at an internet exchange. Your network (or
> preferably your peer's) can do address filtering, such that spoofed
> addresses are minimized. You can then prioritize those peers/networks
> such that a flood from "the internet" will only cut off traffic from
> "the internet", and your peer networks with the hightened security
> (ingress filtering) can enjoy un-interrupted VOIP (and other services).
>
> To be clear, I believe the DDoS issues can only be addressed at the
> Autonomous System level, which is typically an ISP or large hosting
> company.
>
> Regards,
>
> Jeremy
>
Jeremy,
Most carriers that provide you with a BGP session can provide this
service. Some do for free, some do for fee. When setting up BGP with
Cogent, for example, you can opt-in (for free) to create a second BGP
session to a blackhole server. You can advertise /32s to that server
and have traffic to it blackholed at Cogent's backbone. Apparently at
least Verizon Biz (old MCI/UUNET) also provides this for a fee
(probably with to/from AS/IP/etc matching). With a service like this,
enough upstream carriers, and some stupid BGP tricks (AS Path
prepending, setting communities, etc) you can make it through most
DDoS/DoS attacks. Then again if it is big or sophisticated enough
nothing short of a massive CDN (Akamai, etc) will help you. I don't
think they do VoIP yet ;)...
After all - even with all the application intelligence, packet
filtering, etc, in most cases by the time you get the packet to
evaluate it, it's too late - it's already been sent and used your
resources (bandwidth, CPU, etc). Now all you can do is chose how to
respond to it (if at all).
There has been some discussion on NANOG about this over the last few
days. Well worth the read.
--
Kristian Kielhofner
More information about the asterisk-security
mailing list