[asterisk-security] Asterisk and DoS attack: What has been done so far?

Jeremy Jackson jerj at coplanar.net
Wed Jan 30 12:51:21 CST 2008


On Wed, 2008-01-30 at 13:03 -0500, Kristian Kielhofner wrote:
> On Jan 30, 2008 10:10 AM, Jeremy Jackson <jerj at coplanar.net> wrote:
...
> > To be clear, I believe the DDoS issues can only be addressed at the
> > Autonomous System level, which is typically an ISP or large hosting
> > company.
> >
> > Regards,
> >
> > Jeremy
> >
> 
> Jeremy,
> 
>   Most carriers that provide you with a BGP session can provide this
> service.  Some do for free, some do for fee.  When setting up BGP with
> Cogent, for example, you can opt-in (for free) to create a second BGP
> session to a blackhole server.  You can advertise /32s to that server
> and have traffic to it blackholed at Cogent's backbone.  Apparently at
> least Verizon Biz (old MCI/UUNET) also provides this for a fee
> (probably with to/from AS/IP/etc matching).  With a service like this,

Even with BGP Flowspec, this isn't what I'm talking about. Agreed, it's
mostly handling the after effects.  The root cause of DDoS, is source
address spoofing.  The remedy is Ingress/Egress filtering.  Backbones
such as Cogent don't do this that I'm aware of, and it'll be a long time
before they do, if ever, IMO.

I believe direct peering offers a solution, on a small/local scale.
Internet exchanges may rise as a hidden jewel for security (they are
presently dealt with like secondary, best-effort, volunteer based,
etc.) , which may need to be addressed for mass VOIP adoption.

>   There has been some discussion on NANOG about this over the last few
> days.  Well worth the read.

Yes about time I hopped over there and check it out.

Cheers,

Jeremy

-- 
Jeremy Jackson
W: (419)489-4903
Coplanar Networks
http://www.coplanar.net




More information about the asterisk-security mailing list