[182511] in North American Network Operators' Group
Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Jul 20 12:06:15 2015
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <9a31dd85f5814c739dcebcdf3c80cb3c@EXCHANGE2K13.thenap.com>
Date: Mon, 20 Jul 2015 12:06:08 -0400
To: Drew Weaver <drew.weaver@thenap.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I=E2=80=99m sure this is just the extension of all the UDP amplification =
attacks that are ongoing. My experience is that 1720/CUCM should not be =
connected to a public network as those devices are often not well =
maintained or patched.
If it=E2=80=99s of value I can look at adding this to the set of things =
that are enumerated as part of the general UDP amplification problems =
that we continue to face due to the lack of SAV.
- Jared
> On Jul 20, 2015, at 11:57 AM, Drew Weaver <drew.weaver@thenap.com> =
wrote:
>=20
> Has anyone else seen a massive amount of illegitimate UDP 1720 traffic =
coming from China being sent towards IP addresses which provide VoIP =
services?
>=20
> I'm talking in the 20-30Gbps range?
>=20
> The first incident was yesterday at around 13:00 EST, the second =
incident was today at 09:00 EST.
>=20
> I'm assuming this is just another DDoS like all others, but I would be =
interested to hear if I am not the only one seeing this.
>=20
> On list or off-list is fine.
>=20
> Thanks,
> -Drew
