20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

Mon Jul 20 16:12:18 UTC 2015

Ah, alright. I've seen the "general" amplification attacks SNMP/DNS/NTP/you name it, plenty but this is the first one I've ever seen one that targeted 1720/5060 and as its mitigated in one place it keeps moving from dst to dst fairly rapidly until none of the dst ips are available.

-----Original Message-----
From: Jared Mauch [mailto:jared at puck.nether.net] 
Sent: Monday, July 20, 2015 12:06 PM
To: Drew Weaver <drew.weaver at thenap.com>
Cc: nanog at nanog.org
Subject: Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

I’m sure this is just the extension of all the UDP amplification attacks that are ongoing.  My experience is that 1720/CUCM should not be connected to a public network as those devices are often not well maintained or patched.

If it’s of value I can look at adding this to the set of things that are enumerated as part of the general UDP amplification problems that we continue to face due to the lack of SAV.

- Jared

> On Jul 20, 2015, at 11:57 AM, Drew Weaver <drew.weaver at thenap.com> wrote:
> 
> Has anyone else seen a massive amount of illegitimate UDP 1720 traffic coming from China being sent towards IP addresses which provide VoIP services?
> 
> I'm talking in the 20-30Gbps range?
> 
> The first incident was yesterday at around 13:00 EST, the second incident was today at 09:00 EST.
> 
> I'm assuming this is just another DDoS like all others, but I would be interested to hear if I am not the only one seeing this.
> 
> On list or off-list is fine.
> 
> Thanks,
> -Drew