Anyone been involved with TDM voice DOS attacks? My thoughts are that if the phone call originates as an IP call somewhere in the wild, then typical abuse security incident notifications may help in the interim. At least potentially identify through customer records or make them move on where they eventually slip up. If the abuse originates as IP what obligations do foreign service providers (friendly?) have to identify and mitigate? How can the community respond to service providers who fail to clean up their customer base? Mike
On 08/16/2011 11:46 AM, harbor235 wrote:
Anyone been involved with TDM voice DOS attacks? My thoughts are that if the phone call originates as an IP call somewhere in the wild, then typical abuse security incident notifications may help in the interim.
Indeed. Though I suppose it depends on where they come from. Probably originate in various nasty neighborhoods of the net.
At least potentially identify through customer records or make them move on where they eventually slip up.
Right.
If the abuse originates as IP what obligations do foreign service providers (friendly?) have to identify and mitigate?
Well I work at a very large shared hosting provider. Our upstream provider gets abuse complaints and a ticket lands in our queue telling us to clean up or the box gets dropped off the net (anywhere from 4 to 48 hour warning window). I'm guessing that most large service providers have similar procedures in place? Just hit up the abuse contacts for the IP range. Doesn't matter where the destination is, what media etc. If it originates on an IP network/device, it can be dealt with that way. However the bad guys probably aren't using the large providers, as they usually operate 24x7 abuse desks, which means rapid ban hammering. :)
How can the community respond to service providers who fail to clean up their customer base?
iptables -s x.x.x.x/8 -j DROP (modify to your local site firewall drug of choice).
the complication is that the the attack victim is not IP .......... Can't turn up a firewall or router to mitigate. mike On Tue, Aug 16, 2011 at 12:57 PM, Charles N Wyble <charles@knownelement.com>wrote:
On 08/16/2011 11:46 AM, harbor235 wrote:
Anyone been involved with TDM voice DOS attacks? My thoughts are that if the phone call originates as an IP call somewhere in the wild, then typical abuse security incident notifications may help in the interim.
Indeed. Though I suppose it depends on where they come from. Probably originate in various nasty neighborhoods of the net.
At least potentially identify through customer records or
make them move on where they eventually slip up.
Right.
If the abuse originates as IP what obligations do foreign service providers
(friendly?) have to identify and mitigate?
Well I work at a very large shared hosting provider. Our upstream provider gets abuse complaints and a ticket lands in our queue telling us to clean up or the box gets dropped off the net (anywhere from 4 to 48 hour warning window).
I'm guessing that most large service providers have similar procedures in place? Just hit up the abuse contacts for the IP range. Doesn't matter where the destination is, what media etc. If it originates on an IP network/device, it can be dealt with that way.
However the bad guys probably aren't using the large providers, as they usually operate 24x7 abuse desks, which means rapid ban hammering. :)
How can the community respond to service providers
who fail to clean up their customer base?
iptables -s x.x.x.x/8 -j DROP (modify to your local site firewall drug of choice).
participants (2)
-
Charles N Wyble -
harbor235