This month’s DDoS attacks on SIP infrastructure in the VoIP community should give us all pause to reflect upon what each of us can do to lessen the impact of these attacks in our Internet-centric community. Suffice it to say, DDoS attacks can be directed toward carriers (last week it was Bandwidth.com), VoIP providers (last week it was VoIP.ms), and VoIP servers (that would be your PBX). While they may not like it, carriers and many VoIP providers have the financial resources to withstand or mitigate a DDoS attack. You, on the other hand, with your budget-basement cloud server probably do not. So what can you do?
Almost 10 years ago, we introduced the Travelin’ Man 3 firewall for VoIP servers. The idea was novel at the time. You can’t attack what you can’t see. By placing an Incredible PBX server behind the IPtables firewall with no public exposure except for trusted sites and users, your server is essentially hidden from the Internet and all of the world’s bad guys. At the time, the design was poo-poo’d by the SIP purists who were adamant that SIP ports needed to be publicly exposed to function reliably. Wrong. Then there was the FreePBX® firewall which blocked repeated attacks from the IP address of a would-be attacker. But what if a botnet unleashed hundreds of thousands of attacks on your IP address. The FreePBX blocking mechanism obviously would fail. One of the shortcomings of Asterisk®: it isn’t a SIP proxy.
The moral of the story is pretty simple. Unless you have an unlimited bank account to thwart DDoS attacks and unless your PBX is sitting behind a SIP proxy, you’re much safer with a fully-protected Incredible PBX platform. And, for those believing your IP address is too obscure to attract much attention, try installing a server on CloudAtCost, or Digital Ocean, or Vultr without a firewall to protect your SSH port. You’ll quickly discover how popular you are. Stay safe!
Originally published: Monday, September 27, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
How does the Incredible PBX PUBLIC version fare based on this advice?
[WM: Firewall still blocks public IP address access. You must use your FQDN or VPN address.]
Thanks for continuing to use your blog as a tool to help communicate the importance of security in mitigating DDoS / TDoS front and center Ward. The security importance extends beyond the personal and business applications as 9-1-1 services in the US and Canada transition to VoIP in the near future. These threats are real as shown in recent events and in this brief intro to DHS and DHS CISA work in this very space. https://agenda.iwceexpo.com/session/securing-ng-911-/880371
How about writing a tutorial on the SIP Proxy for those who don’t know how they work?
[WM: Lots of them out there. Try this one.]
Today’s Must Read: https://blog.cloudflare.com/attacks-on-voip-providers/
HINT: If you are a SIP provider and don’t sit in the media pathway of calls, Cloudflare’s Magic Transit service is a DDoS bargain.