[asterisk-security] Asterisk and DoS attack: What has been done so far?
Kristian Kielhofner
kristian.kielhofner at gmail.com
Wed Jan 30 13:55:51 CST 2008
On Jan 30, 2008 1:51 PM, Jeremy Jackson <jerj at coplanar.net> wrote:
>
> On Wed, 2008-01-30 at 13:03 -0500, Kristian Kielhofner wrote:
> > On Jan 30, 2008 10:10 AM, Jeremy Jackson <jerj at coplanar.net> wrote:
> ...
> > > To be clear, I believe the DDoS issues can only be addressed at the
> > > Autonomous System level, which is typically an ISP or large hosting
> > > company.
> > >
> > > Regards,
> > >
> > > Jeremy
> > >
> >
> > Jeremy,
> >
> > Most carriers that provide you with a BGP session can provide this
> > service. Some do for free, some do for fee. When setting up BGP with
> > Cogent, for example, you can opt-in (for free) to create a second BGP
> > session to a blackhole server. You can advertise /32s to that server
> > and have traffic to it blackholed at Cogent's backbone. Apparently at
> > least Verizon Biz (old MCI/UUNET) also provides this for a fee
> > (probably with to/from AS/IP/etc matching). With a service like this,
>
> Even with BGP Flowspec, this isn't what I'm talking about. Agreed, it's
> mostly handling the after effects. The root cause of DDoS, is source
> address spoofing. The remedy is Ingress/Egress filtering. Backbones
> such as Cogent don't do this that I'm aware of, and it'll be a long time
> before they do, if ever, IMO.
Ingress/Egress filtering would be nice. And you're correct, most
backbones don't do this. However, even with Ingress/Egress filtering
a large enough botnet would still be a problem (with legit sourced
IPs). A VoIP service provider could pretty easily whitelist/blacklist
based on these IPs and the methods I discussed before.
> I believe direct peering offers a solution, on a small/local scale.
> Internet exchanges may rise as a hidden jewel for security (they are
> presently dealt with like secondary, best-effort, volunteer based,
> etc.) , which may need to be addressed for mass VOIP adoption.
You're right again with direct peering. That's what we're working toward...
> > There has been some discussion on NANOG about this over the last few
> > days. Well worth the read.
>
> Yes about time I hopped over there and check it out.
>
Yeah, sometimes NANOG is worth it... I like the diagrams on your
website, btw!
--
Kristian Kielhofner
More information about the asterisk-security
mailing list