Ah, alright. I've seen the "general" amplification attacks SNMP/DNS/NTP/you 
name it, plenty but this is the first one I've ever seen one that targeted 
1720/5060 and as its mitigated in one place it keeps moving from dst to dst 
fairly rapidly until none of the dst ips are available.

-----Original Message-----
From: Jared Mauch [mailto:ja...@puck.nether.net] 
Sent: Monday, July 20, 2015 12:06 PM
To: Drew Weaver <drew.wea...@thenap.com>
Cc: nanog@nanog.org
Subject: Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 
24 hours

I’m sure this is just the extension of all the UDP amplification attacks that 
are ongoing.  My experience is that 1720/CUCM should not be connected to a 
public network as those devices are often not well maintained or patched.

If it’s of value I can look at adding this to the set of things that are 
enumerated as part of the general UDP amplification problems that we continue 
to face due to the lack of SAV.

- Jared

> On Jul 20, 2015, at 11:57 AM, Drew Weaver <drew.wea...@thenap.com> wrote:
> 
> Has anyone else seen a massive amount of illegitimate UDP 1720 traffic coming 
> from China being sent towards IP addresses which provide VoIP services?
> 
> I'm talking in the 20-30Gbps range?
> 
> The first incident was yesterday at around 13:00 EST, the second incident was 
> today at 09:00 EST.
> 
> I'm assuming this is just another DDoS like all others, but I would be 
> interested to hear if I am not the only one seeing this.
> 
> On list or off-list is fine.
> 
> Thanks,
> -Drew

Reply via email to