Difference between revisions of "DDoS"
| (17 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
= DDoS = | = DDoS Protection for Kolmisoft Clients = | ||
A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the | A '''Distributed Denial of Service (DDoS)''' attack is a malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of internet traffic. | ||
Unlike traditional denial-of-service attacks that might involve a single source, DDoS attacks leverage multiple compromised computers, forming | Unlike traditional denial-of-service attacks that might involve a single source, DDoS attacks leverage multiple compromised computers, forming a botnet, to target a single system. | ||
DDoS attacks against '''VoIP softswitches''' and '''SIP servers''' are becoming increasingly common. They can result in complete service unavailability, call drops, delayed SIP signaling, or severe quality degradation. | |||
<br> | |||
== Key Facts About DDoS Attacks == | |||
* '''Objective:''' Render a service or network unavailable by flooding it with excessive traffic. | |||
* '''Distributed nature:''' Attacks come from a botnet — hundreds or thousands of infected machines worldwide. | |||
* '''Attack vectors:''' | |||
** Volumetric attacks – flood the network with massive amounts of data (e.g. UDP floods). | |||
** Protocol attacks – exploit weaknesses in network protocols. | |||
** Application-layer attacks – target SIP, RTP, or other VoIP services specifically. | |||
* '''Amplification:''' Attackers often exploit misconfigured services to amplify their attack traffic. | |||
* '''Motivation:''' Can be financial (ransom), competitive, ideological, or purely destructive. | |||
<br> | |||
DDoS | == Important Reality Check == | ||
There is no guaranteed way to fully prevent or stop a targeted DDoS attack, especially if attackers are persistent and well-resourced. | |||
The effectiveness of protection depends on the hosting provider’s infrastructure, your network architecture, and whether you use specialized DDoS mitigation services. | |||
Attackers often target UDP port 5060 directly or use fragmented packets to overwhelm the system. | |||
In such cases, there is nothing that can be done on the software level to stop the attack — the issue lies in saturated bandwidth and network capacity, not in SIP configuration. | |||
Once the uplink is fully saturated, no legitimate traffic can get through, regardless of firewall or softswitch rules. | |||
This is why having proper DDoS protection at the network edge (hosting provider or external mitigation service) is critical. | |||
<br> | |||
= | = Protection Options = | ||
Below are some practical approaches and service options that Kolmisoft clients can consider. | |||
<br> | |||
== | == 1. Hetzner (Default Hosting) == | ||
DDoS | '''Hetzner''' provides '''basic DDoS protection by default''', which automatically mitigates some malicious traffic. | ||
However, they do '''not offer any advanced DDoS mitigation solutions'''. | |||
''Our DDoS system already mitigates most of the traffic. We do not offer any advanced DDoS solution; therefore, we normally recommend services like Cloudflare. Since the DDoS traffic amount is larger than 1 Gbit, an upgrade to a 10 Gbit uplink would allow more capacity for good traffic beside attack traffic.'' | |||
'''Summary:''' | |||
* Basic volumetric protection | |||
* No advanced filtering, no SIP-specific protection | |||
* Upgrading to 10 Gbit uplink might help handle more legitimate traffic during attacks, but does not solve the attack itself | |||
* Included in hosting price | |||
<br> | |||
== 2. Cloudflare Spectrum (Enterprise) == | |||
'''Cloudflare''' can protect '''SIP and RTP traffic''' through '''Cloudflare Spectrum''', which is part of their '''Enterprise plan'''. | |||
DDoS | Spectrum provides DDoS mitigation and traffic acceleration for '''TCP/UDP-based applications''' (including SIP signaling and RTP streams). | ||
'''Pricing:''' | |||
* Starts at several thousand USD per month (typically 3,000–4,000+ USD) | |||
* Custom pricing based on traffic volume and number of protected IPs | |||
* No public price list; quote required | |||
* Formal trial is part of the Enterprise pre-sales process | |||
* No cheaper or self-serve options for VoIP traffic protection at this time | |||
'''Summary:''' | |||
* Very strong global DDoS mitigation, including SIP/RTP | |||
* Trial available as part of Enterprise sales process | |||
* Expensive — not realistic for most small/mid-size VoIP providers | |||
* Minimum several thousand USD/month | |||
<br> | |||
== 3. Stormwall (stormwall.network) == | |||
'''Stormwall''' offers protection for '''SIP signaling and RTP traffic''', with the option to start with a '''free trial period''' to evaluate effectiveness. | |||
'''Key points:''' | |||
* Protection includes SIP and RTP traffic | |||
* Trial allows connecting and testing their protection before committing | |||
* Baseline pricing: Standard Server Protection plan starts at $200/month for 50 Mbps | |||
* After the trial, the quote is refined based on real bandwidth usage | |||
* Requires filling out a connection form and registering on their website | |||
'''Summary:''' | |||
* SIP and RTP protection | |||
* Free trial before paying | |||
* Starting price is significantly lower than Cloudflare Enterprise | |||
* Final price depends on actual bandwidth and attack profile | |||
<br> | |||
= Other Practical Steps = | |||
<br> | |||
== Use Secondary Server == | |||
If you operate a 2-server setup, you can use the second server (with only Asterisk) to '''isolate new or suspicious clients'''. | |||
If an attack occurs, it will only bring down that second server, not your entire system. | |||
This can help identify the '''“mischief-maker”''' by moving new clients to the secondary server temporarily. | |||
<br> | |||
== Monitor New Clients == | |||
If attacks began after onboarding a specific client, move them to a separate server or isolate their traffic to verify if they are the source or target. | |||
<br> | |||
= Economic Considerations = | |||
Not all solutions make sense financially. For example, '''Cloudflare Enterprise protection costs several thousand dollars monthly''' — often more than many clients pay for the softswitch itself. | |||
If you decide to explore third-party DDoS providers, make sure they: | |||
* Offer SIP/RTP protection, not just HTTP | |||
* Provide a trial period, so you can confirm effectiveness before committing | |||
* Are transparent about pricing and bandwidth tiers | |||
Stormwall currently appears to be one of the '''more affordable SIP-focused options with a trial period'''. | |||
<br> | |||
= Summary Table = | |||
{| class="wikitable" | |||
! Provider / Option !! SIP & RTP Protection !! Trial !! Price Range !! Notes | |||
|- | |||
| Hetzner (default) || No (basic volumetric only) || – || Included || Upgrade to 10 Gbit uplink may help but not real protection | |||
|- | |||
| Cloudflare Spectrum (Enterprise) || Yes || Yes (Enterprise trial) || 3,000–4,000+ USD/month || Very strong, but expensive | |||
|- | |||
| Stormwall || Yes || Yes (free trial) || From $200/month || Affordable starting point, final price based on usage | |||
|} | |||
<br> | |||
= See Also = | |||
* [https://www.youtube.com/watch?v=ilhGh9CEIwM DDoS Attack Explained (YouTube)] | |||
* [https://www.youtube.com/watch?v=bDAY-oUP0DQ Denial of Service Attacks Explained (YouTube)] | |||
* [[Cloudflare configuration for GUI DDoS Protection]] | |||
Latest revision as of 09:58, 8 October 2025
DDoS Protection for Kolmisoft Clients
A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of internet traffic. Unlike traditional denial-of-service attacks that might involve a single source, DDoS attacks leverage multiple compromised computers, forming a botnet, to target a single system.
DDoS attacks against VoIP softswitches and SIP servers are becoming increasingly common. They can result in complete service unavailability, call drops, delayed SIP signaling, or severe quality degradation.
Key Facts About DDoS Attacks
- Objective: Render a service or network unavailable by flooding it with excessive traffic.
- Distributed nature: Attacks come from a botnet — hundreds or thousands of infected machines worldwide.
- Attack vectors:
- Volumetric attacks – flood the network with massive amounts of data (e.g. UDP floods).
- Protocol attacks – exploit weaknesses in network protocols.
- Application-layer attacks – target SIP, RTP, or other VoIP services specifically.
- Amplification: Attackers often exploit misconfigured services to amplify their attack traffic.
- Motivation: Can be financial (ransom), competitive, ideological, or purely destructive.
Important Reality Check
There is no guaranteed way to fully prevent or stop a targeted DDoS attack, especially if attackers are persistent and well-resourced. The effectiveness of protection depends on the hosting provider’s infrastructure, your network architecture, and whether you use specialized DDoS mitigation services.
Attackers often target UDP port 5060 directly or use fragmented packets to overwhelm the system. In such cases, there is nothing that can be done on the software level to stop the attack — the issue lies in saturated bandwidth and network capacity, not in SIP configuration.
Once the uplink is fully saturated, no legitimate traffic can get through, regardless of firewall or softswitch rules. This is why having proper DDoS protection at the network edge (hosting provider or external mitigation service) is critical.
Protection Options
Below are some practical approaches and service options that Kolmisoft clients can consider.
1. Hetzner (Default Hosting)
Hetzner provides basic DDoS protection by default, which automatically mitigates some malicious traffic. However, they do not offer any advanced DDoS mitigation solutions.
Our DDoS system already mitigates most of the traffic. We do not offer any advanced DDoS solution; therefore, we normally recommend services like Cloudflare. Since the DDoS traffic amount is larger than 1 Gbit, an upgrade to a 10 Gbit uplink would allow more capacity for good traffic beside attack traffic.
Summary:
- Basic volumetric protection
- No advanced filtering, no SIP-specific protection
- Upgrading to 10 Gbit uplink might help handle more legitimate traffic during attacks, but does not solve the attack itself
- Included in hosting price
2. Cloudflare Spectrum (Enterprise)
Cloudflare can protect SIP and RTP traffic through Cloudflare Spectrum, which is part of their Enterprise plan.
Spectrum provides DDoS mitigation and traffic acceleration for TCP/UDP-based applications (including SIP signaling and RTP streams).
Pricing:
- Starts at several thousand USD per month (typically 3,000–4,000+ USD)
- Custom pricing based on traffic volume and number of protected IPs
- No public price list; quote required
- Formal trial is part of the Enterprise pre-sales process
- No cheaper or self-serve options for VoIP traffic protection at this time
Summary:
- Very strong global DDoS mitigation, including SIP/RTP
- Trial available as part of Enterprise sales process
- Expensive — not realistic for most small/mid-size VoIP providers
- Minimum several thousand USD/month
3. Stormwall (stormwall.network)
Stormwall offers protection for SIP signaling and RTP traffic, with the option to start with a free trial period to evaluate effectiveness.
Key points:
- Protection includes SIP and RTP traffic
- Trial allows connecting and testing their protection before committing
- Baseline pricing: Standard Server Protection plan starts at $200/month for 50 Mbps
- After the trial, the quote is refined based on real bandwidth usage
- Requires filling out a connection form and registering on their website
Summary:
- SIP and RTP protection
- Free trial before paying
- Starting price is significantly lower than Cloudflare Enterprise
- Final price depends on actual bandwidth and attack profile
Other Practical Steps
Use Secondary Server
If you operate a 2-server setup, you can use the second server (with only Asterisk) to isolate new or suspicious clients. If an attack occurs, it will only bring down that second server, not your entire system. This can help identify the “mischief-maker” by moving new clients to the secondary server temporarily.
Monitor New Clients
If attacks began after onboarding a specific client, move them to a separate server or isolate their traffic to verify if they are the source or target.
Economic Considerations
Not all solutions make sense financially. For example, Cloudflare Enterprise protection costs several thousand dollars monthly — often more than many clients pay for the softswitch itself.
If you decide to explore third-party DDoS providers, make sure they:
- Offer SIP/RTP protection, not just HTTP
- Provide a trial period, so you can confirm effectiveness before committing
- Are transparent about pricing and bandwidth tiers
Stormwall currently appears to be one of the more affordable SIP-focused options with a trial period.
Summary Table
| Provider / Option | SIP & RTP Protection | Trial | Price Range | Notes |
|---|---|---|---|---|
| Hetzner (default) | No (basic volumetric only) | – | Included | Upgrade to 10 Gbit uplink may help but not real protection |
| Cloudflare Spectrum (Enterprise) | Yes | Yes (Enterprise trial) | 3,000–4,000+ USD/month | Very strong, but expensive |
| Stormwall | Yes | Yes (free trial) | From $200/month | Affordable starting point, final price based on usage |
