[VOIPSEC] Anti-DDoS products for VoIP

J. Oquendo joquendo at hushmail.com
Thu Jul 6 08:12:10 CDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't think there is much you can do against a DDoS attack taken
on any protocol whether its VoIP or another. At least this is my
opinion. I'm thinking in terms of the "golfball" effect where a
pipe is filled to capacity. What can you do when a botnet has a
combined OC3 like pipe being sent to a DS3 or so. Not much.

If you were thinking in terms of an attack specifically tailored to
VoIP, I was actually in the midst of putting together a "proof of
concept" aimed at a WiFi phone I am playing with. Its theoretical
and just a matter of me implementing this and testing it over the
weekend.

If my theories do hold together though WiFi phone or not, anything
on the 2000, 5060, 2427, 4569 ports would all be vulnerable for the
attack. Wouldn't matter if its SIP, Skinny, etc. I will make my
findings available to engineers but will not release code to the
public. Just need to zero in on some specific RFC information.

<2cents>
Now before anyone rages at me for creating such a tool let me
explain the reasons behind it. 1) If I can think of a problem and
exploit it so can someone else. 2) My findings are to be posted
without releasing the program so its intention is not malicious but
one of "did you know that this is broken... now go fix it." While
some may think the less of me for attempting to break things up, I
think its inevitable anyway, why not see if I can do it and have
engineers clean up the mess before someone else finds it and makes
it an epidemic.
</2cents>

NFR (Network Flight Recorder) makes a product called Sentivist in
which they are monitoring SIP at the protocol level according to a
response I got from them on the same type of question. If you need
a contact there let me know.

As for "protection", you could create an ACL or firewall rule from
server to client and only allow trusted hosts and servers to
connect to one another via their specific ports (SIP5060, IAX4569,
etc.) but doing so may affect QoS if you have your ACL's
misconfigured since it would likely introduce some serialization,
forwarding, or propagation delays. Not to mention affect the
router's CPU. As for non-rfc1918 addresses I would place them on a
DMZ or something or segregate (VLAN) them if possible.


On Thu, 06 Jul 2006 05:54:55 -0400 dhiraj.2.bhuyan at bt.com wrote:
>Hello list,
>
>I am trying to compile a list of the leading anti-DDOS attack
>products
>for VOIP and thought maybe this is the best place to ask. Has
>anyone
>looked into DDoS protection for VoIP and what are the leading
>products
>in this area? You can email me privately or to this list.
>
>Many thanks,
>
>Dhiraj Bhuyan, CISSP
>Senior Network Security Professional,
>British Telecom, UK
>
>Email: dhiraj.2.bhuyan at bt.com
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-
7),oct(104),10,oct(101));'
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkStDCoACgkQVnroYexO+HINPAP9GVaQJLA7ZiQs4F76eYTiUVkGYNbz
4Kf4kArtaL5p5MUl+SM+ri2yFJWcopa3xH0hKJwAaPH/jPgVZnBA1fQm54zH/QXU5Y2l
wHRyNsRpwkw33kO6mXzcH1xnuCjgREOJ2p25CEb8FETDHH9FwHkDOelcMMeHme6lmxWf
hFTFEvQ=
=bHLA
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

More information about the Voipsec mailing list