VoIP Provider DDoSes

As many may know, a particular VoIP supplier is suffering a DDoS. https://twitter.com/voipms

Are your garden variety DDoS mitigation platforms or services equipped to handle DDoSes of VoIP services? What nuances does one have to be cognizant of? A WAF doesn’t mean much to SIP, IAX2, RTP, etc.

Simwood’s blog has a few articles from the past couple weeks with commentary on the attacks to voip providers in the UK. https://blog.simwood.com/2021/09/voip-ddos-fail-to-prepare/

Unlike http based services which can be placed behind cloudflare or similar, harder to protect sip trunking servers.

The provider in question makes use of third party hosting services for each of their cities’ POPs. It is my understanding that for the most part they do not run their own infrastructure but either rent dedicated servers or a few rack units of Colo in each city.

I question whether some or any of those hosting companies have sufficient inbound (200-400Gbps) capacity to weather a moderately sized DDoS.

Which makes SIPoHTTP an inevitability.


Never heard of that one. WebRTC is maybe easier to protect from DDOS?


Never heard of that one. WebRTC is maybe easier to protect from DDOS?

I was just kidding/2. But webrtc don't have a signaling protocol. It can be SIP but it can be completely home brewed too.



Actually, i work for a company that just purchased a start up that deals with DDOS for WebRTC, Websockets and grpc.


I could see that, especially since HTTP 3.0 is UDP.

Well, I suppose it depends on the type of DDoS.

Some of their sites are hosted with large outfits like Softlayer and Hivelocity. Yeah, some others are a lot smaller.

It looks like Security Now covered this yesterday. They claimed that, “There is currently no provider of large pipe VoIP protocol DDoS protection.”

Are any of the cloud DDoS mitigation services offering a service like this.

Yes there are. I was about to message Steve about the correction. Corero and path.net are options. There are others.

OIT Website
Ray Orsini​

Chief Executive Officer

305.967.6756 x1009 | 305.571.6272

ray@oit.co | https://www.oit.co www.oit.co






How are we doing? We’d love to hear your feedback. https://go.oit.co/review

Fail2Ban and give ourselves a pat on the back…

Fail2Ban on a couple of dozen servers may not be sufficient to address 400 gigs of traffic.

I’m going to be reaching out to both of the organizations you listed, but I don’t see any of their documentation mentioning SIP, RTP, or any of the “normal” VOIP protocols or use cases.

Fail2Ban on a couple of dozen servers may not be sufficient to address 400 gigs of traffic.

Also, also… keep in mind that ‘fail2ban’ does some processing on the log messages to which it MAY take action.
It’s taking, essentially, untrusted external input and … acting as ‘root’.

that sounds like a recipe for a disaster, to me… is the code utf-8 safe? are the actions it takes safe in the context of whatever PTR record content may come down the pipe? or apache(equivalent) log message parsing?

It seems like Cloudflare can do something now too because VoIP.MS is now routed through Cloudflare for their new servers.

For those persons with voip.ms accounts, the DDoS-protected servers are in their control panel with a green checkmark next to them as recommended servers.

Now it looks like part of the DDoS has shifted to bandwidth.com.