RE: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

[Drew Weaver <drew.weaver () thenap com>]

Ah, alright. I've seen the "general" amplification attacks SNMP/DNS/NTP/you name it, plenty but this is the first one 
I've ever seen one that targeted 1720/5060 and as its mitigated in one place it keeps moving from dst to dst fairly 
rapidly until none of the dst ips are available.

-----Original Message-----
From: Jared Mauch [mailto:jared () puck nether net] 
Sent: Monday, July 20, 2015 12:06 PM
To: Drew Weaver <drew.weaver () thenap com>
Cc: nanog () nanog org
Subject: Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

I’m sure this is just the extension of all the UDP amplification attacks that are ongoing.  My experience is that 
1720/CUCM should not be connected to a public network as those devices are often not well maintained or patched.

If it’s of value I can look at adding this to the set of things that are enumerated as part of the general UDP 
amplification problems that we continue to face due to the lack of SAV.

- Jared

> On Jul 20, 2015, at 11:57 AM, Drew Weaver <drew.weaver () thenap com> wrote:
>
> Has anyone else seen a massive amount of illegitimate UDP 1720 traffic coming from China being sent towards IP 
> addresses which provide VoIP services?
>
> I'm talking in the 20-30Gbps range?
>
> The first incident was yesterday at around 13:00 EST, the second incident was today at 09:00 EST.
>
> I'm assuming this is just another DDoS like all others, but I would be interested to hear if I am not the only one 
> seeing this.
>
> On list or off-list is fine.
>
> Thanks,
> -Drew