DDoS Protection for Kolmisoft Clients

A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of internet traffic. Unlike traditional denial-of-service attacks that might involve a single source, DDoS attacks leverage multiple compromised computers, forming a botnet, to target a single system.

DDoS attacks against VoIP softswitches and SIP servers are becoming increasingly common. They can result in complete service unavailability, call drops, delayed SIP signaling, or severe quality degradation.

Key Facts About DDoS Attacks

• Objective: Render a service or network unavailable by flooding it with excessive traffic.
• Distributed nature: Attacks come from a botnet — hundreds or thousands of infected machines worldwide.
• Attack vectors:
  • Volumetric attacks – flood the network with massive amounts of data (e.g. UDP floods).
  • Protocol attacks – exploit weaknesses in network protocols.
  • Application-layer attacks – target SIP, RTP, or other VoIP services specifically.
• Amplification: Attackers often exploit misconfigured services to amplify their attack traffic.
• Motivation: Can be financial (ransom), competitive, ideological, or purely destructive.

Important Reality Check

There is no guaranteed way to fully prevent or stop a targeted DDoS attack, especially if attackers are persistent and well-resourced. The effectiveness of protection depends on the hosting provider’s infrastructure, your architecture, and whether you use specialized DDoS mitigation services.

Protection Options

Below are some practical approaches and service options that Kolmisoft clients can consider.

1. Hetzner (Default Hosting)

Hetzner provides basic DDoS protection by default, which automatically mitigates some malicious traffic. However, they do not offer any advanced DDoS mitigation solutions.

> “Our DDoS system already mitigates most of the traffic. We do not offer any advanced DDoS solution; therefore, we normally recommend services like Cloudflare. Since the DDoS traffic amount is larger than 1 Gbit, an upgrade to a 10 Gbit uplink would allow more capacity for good traffic beside attack traffic.”

Summary:

• Basic volumetric protection
• No advanced filtering, no SIP-specific protection
• Upgrading to 10 Gbit uplink might help handle more legitimate traffic during attacks, but does not solve the attack itself
• Included in hosting price

2. Cloudflare Spectrum (Enterprise)

Cloudflare can protect SIP and RTP traffic through Cloudflare Spectrum, which is part of their Enterprise plan.

Spectrum provides DDoS mitigation and traffic acceleration for TCP/UDP-based applications (including SIP signaling and RTP streams).

Pricing:

• Starts at several thousand USD per month (typically 3,000–4,000+ USD)
• Custom pricing based on traffic volume and number of protected IPs
• No public price list; quote required
• Formal trial is part of the Enterprise pre-sales process
• No cheaper or self-serve options for VoIP traffic protection at this time

Summary:

• Very strong global DDoS mitigation, including SIP/RTP
• Trial available as part of Enterprise sales process
• Expensive — not realistic for most small/mid-size VoIP providers
• Minimum several thousand USD/month

3. Stormwall (stormwall.network)

Stormwall offers protection for SIP signaling and RTP traffic, with the option to start with a free trial period to evaluate effectiveness.

Key points:

• Protection includes SIP and RTP traffic
• Trial allows connecting and testing their protection before committing
• Baseline pricing: Standard Server Protection plan starts at $200/month for 50 Mbps
• After the trial, the quote is refined based on real bandwidth usage
• Requires filling out a connection form and registering on their website

Summary:

• SIP and RTP protection
• Free trial before paying
• Starting price is significantly lower than Cloudflare Enterprise
• Final price depends on actual bandwidth and attack profile

Other Practical Steps

Use Secondary Server

If you operate a 2-server setup, you can use the second server (with only Asterisk) to isolate new or suspicious clients. If an attack occurs, it will only bring down that second server, not your entire system. This can help identify the “mischief-maker” by moving new clients to the secondary server temporarily.

Monitor New Clients

If attacks began after onboarding a specific client, move them to a separate server or isolate their traffic to verify if they are the source or target.

Emergency Ticketing

If your Asterisk or MOR system is completely down, always open a new support ticket with BLOCKER priority. This is especially critical outside working hours, as only BLOCKER tickets trigger alerts for the on-call engineer.

---

Economic Considerations

Not all solutions make sense financially. For example, Cloudflare Enterprise protection costs several thousand dollars monthly — often more than many clients pay for the softswitch itself.

If you decide to explore third-party DDoS providers, make sure they:

• Offer SIP/RTP protection, not just HTTP
• Provide a trial period, so you can confirm effectiveness before committing
• Are transparent about pricing and bandwidth tiers

Stormwall currently appears to be one of the more affordable SIP-focused options with a trial period.

---

Summary Table

---

See Also

• [DDoS Attack Explained (YouTube)](https://www.youtube.com/watch?v=ilhGh9CEIwM)
• [Denial of Service Attacks Explained (YouTube)](https://www.youtube.com/watch?v=bDAY-oUP0DQ)
• Cloudflare configuration for GUI DDoS Protection