Massive DDoS attacks a growing threat to VoIP services

ORLANDO, Fla. -- When the massive distributed denial-of-service (DDoS) attack in March brought down the voice-over-IP (VoIP) call processing supplied by TelePacific Communications to thousands of its customers, it marked a turning point for the local-exchange services provider in its thinking about security.

The massive DDoS attack came blasting in from the Internet in the form of a flood of invalid VoIP registration requests. The attack resulted in widespread service disruptions for a number of days in late March and cost the company hundreds of thousands of dollars in customer credits. After the attack was over, the facilities-based services provider, based in California and Nevada, took steps to boost security measures to seek to prevent any similar occurrence again, said Don Poe, vice president of network engineering at TelePacific Communications, which provides the VoIP "Smart Voice" service to thousands of customers.

MORE ON VOIP SECURITY: Botnets, cloud computing may be fuelling attacks against VoIP

But Poe, who spoke out about the massive DDoS attack during a presentation he made at the fall 2011 Comptel Plus Conference here, said he was sharing details about the attack because the pace of many types of DDoS attacks appears to be growing and the telecommunications industry isn't sharing information about them as well as they might for the common good.

TelePacific, he said, sees a multitude of daily scans against its network, and low-level attacks can occur about twice a day. But the services provider had never before seen what happened in the March period when the normal level of 34 million SIP traffic registration requests for VoIP connections suddenly shot up to 69 million and "flooded our systems," he said. "There was no calling ability."

Comptel, the industry trade group for competitive communications services providers and their suppliers, says it does believe its membership is seeing an uptick in DDoS attacks and that's why it scheduled the session panel on the topic that included Poe; Stacy Arruda, a supervisory special agent and cybercrime supervisor at the FBI; and Patrick Gray, principal security strategist at Cisco.

In recounting the DDoS event against his company's VoIP service, Poe said he did contact the FBI to report the attack, but he found out that TelePacific simply did not have the necessary event-analysis information that the FBI needed to be able to successfully pursue a case. "We were not prepared," he said. "We didn't capture enough information." That situation has been rectified with new data-capture systems, he adds.

Much of the DDoS attack streams did appear to be originating from China. But even if a botnet based on compromised Chinese computers was the source of the attack, that does not necessarily mean that someone in China is the culprit originating it, though that is a possibility. Poe said there was no extortion threat accompanying the DDoS flood, and he has no idea who or what would decide to launch such a massive crippling attack against TelePacific and its customers.

In the aftermath, TelePacific turned to a number of firms, including Acme Packet and Arbor Networks, for help in security and network analysis.

But even installing Arbor's PeakFlow anti-DDoS equipment isn't the complete answer to the problem because when DDoS attacks are strong enough, PeakFlow can't necessarily stop the worst of them, Poe added. And TelePacific still fights against denial-of-service attacks, which often originate as traffic coming from China and Africa.

FBI agent Arruda said many cases of network attacks which the FBI works on do appear to involve a financial motive. There have been a few cases that involved instances where a "competitor DDoSed a competitor" to make the competitor look bad. But that's unusual. More commonly, the goal for the attacker appears to be stealing information of value through the incident. She urged service providers to join the local chapter of InfraGard, the FBI's information-sharing organization with the private sector. She said to get to know FBI people and to get their cell number to call them the minute something happens.

Poe said there doesn't seem to be sufficient information-sharing among services providers themselves about these types of serious attacks. Others agree.

The IT community doesn't talk among itself enough about the serious problems occurring in terms of DDoS and other security events, said Gray, the Cisco security strategist. In contrast, he added, "The hacking community talks to each other all day long." He said the service providers need to understand they are a target and they need to have a plan in place for this kind of devastating event.

"DDoS attacks and SYN floods are extraordinarily common today," said Stacy Griggs, senior director at Cbeyond Cloud Services, a division of Cbeyond Communications, which was attending the Comptel conference.

He said telecom providers in general seem to be reluctant to talk about the problem. In a cynical sense, Griggs even thinks some telecom providers can be seen as sometimes deriving revenue from DDoS floods that hit customers.

Griggs said that his company, which is a hosting provider, sees constant attacks against customer servers in which an attacker gains access to them or will brute force a password. The monitoring at his company does both inbound and outbound seeks to detect this, while also fending off some types of attacks with intrusion-prevention systems.

But Griggs pointed out that his own general practice also involves communicating about serious events with about half a dozen colleagues at other firms, including "If I have a problem coming out of, I'll call them," he said. "We know each other. We call each other."

DDoS and server hacking aren't the only problems service providers face. Hackers are also trying to break into the computer-based funds-transfer systems that service providers have to their banks.

One conference attendee told the story of how just a few weeks ago, the chief financial officer at an undisclosed services provider was authorizing a payment transfer of more than $180,000 from his computer, when suddenly a spam explosion of pop-ups erupted on it, and a second unauthorized transfer for the same dollar amount was zapped off to a bank in Hong Kong. Fortunately, the CFO was quickly able to recover the full amount that was stolen -- minus the small charge for a wire transfer -- due to this direct attack on the CFO's computer.

Speaking on security, Arruda said, "The targeted email attack is the easiest way for the bad guys to get into the network." Since we live in a world where much information is readily available, attackers are using methods such as combing though public information, including social-networking sites, to find out what they can about corporate employees and their jobs.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags unified communicationstelecommunicationvoipNetworkingsecurity

More about Acme PacketArbor NetworksCiscoComptelFBIPacific CommunicationsSmartTelePacific Communications

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place