CallCentric Under DDoS Attack (1 Week & Counting)

Fyi, everybody,

I wasn’t sure how to list this, but just in case there are folks who aren’t aware, SIP provider “CallCentric” has been under DDoS attack for one week straight and it looks like whoever is doing is no closer to being caught now than they were last week.

For those not DSL report members, here’s the string speaking of when it was recognized as being a DDoS attack:

The beginning of the thread starts here:

Speaking as a Callcentric customer, this attack has rendered the entire network all but unusable :frowning:

Again, this is just fyi for other VoIP users…


Are you saying no calls can be made through their network? I have been having trouble making calls but I just got mine to register with them.

I find it very hard to believe that they have not been able to mitigate the attack in a week.

I am wondering if something else is not going on.

Apparently the attack hasn’t stopped although they have mitigated a majority of the flooding (my lines are now registering again, however, there is random choppiness from time-to-time due to “patch rollouts” based on what CC updates say…).



I came across this blog regarding the mitigation of SIP flooding; from what’s being said, everyone is saying the content is useful:

Once I figure out the inner-workings of what’s happening, I’m definitely interested in investing some time into understanding the content better. Oh, there was something further down the post about doing this in Linux:

Poster #1: Tom Stordy-Allison (not authenticated) on april 12th, 2010 at 10:34:21:
Worked a dream.

For anyone on linux use:

iptables -t nat -A PREROUTING -i eth0 -source -p udp --dport 5060 -j REDIRECT --to-port 5061

I had to set the bind ip address also to receive packets:

s.bind(“”, 5061)


Poster #2: This Amazon friendly-scanner generated about 15GB traffic this weekend! Same ammount couple weeks back.

Very nice trick, I did this (linux)
iptables -I INPUT -s -j DROP
But that generated in 2 GB blocked data in a couple of hours.
iptables -I INPUT -s -j REJECT
Was more effective, the scanning stopped within minutes (4MB traffic).

I also reported this to EC2 abuse.

As I become more versed with Linux and its “tips 'n tricks,” this will most likely have better meaning to me heh


Well, that will keep any Amazon ec2 instance from hitting you.