The last two, pandemic-hit, years have brought about an exponential change in the way we live, work and play. The rise of remote working had long been forecast, but a global pandemic turned forecasts into widespread reality much faster than we predicted and, in many cases, before the networks were really ready.
As we learn to live with the consequences of COVID-19, and the so-called ‘new normal’ becomes just ‘the normal’ I believe 2022 will require service providers to increase their focus on network security to combat the increasing attack vectors that bad actors will use to try to exploit, disrupt and or steal data from organizations in every sector in virtually every country.
One of the most significant methods used for business disruption, and one that is continuously growing, is Distributed Denial of Service (DDoS) attacks.
A DDoS attack occurs when a cybercriminal floods an organization’s server with traffic to overwhelm normal processing, thus preventing users from accessing connected online services and sites. These attacks not only prevent legitimate users from conducting business with an organization but can potentially disrupt a company’s entire IT infrastructure.
DDoS attacks on the rise and need to be countered
The first half of 2021 saw a staggering 5.4 million DDoS attacks reported. That represented a 600,000 attack rise over the same period in 2020 – in other words 50,000 more attacks every month. To make detection difficult, 85 percent of those attacks lasted less than ten minutes. All but a handful of them were less than 10Gb/s so they were very focused and almost one in three of them were repeated within seven days.
A few key trends that we are noticing as it relates to DDoS attacks include:
- Volumetric - Cybercriminals are increasingly spoofing the DDoS victim’s source addresses and sending requests to a Server Host (i.e., Reflector), that generates a reply toward the DDoS victim, which is several times larger than the request message, resulting in a high volume of traffic for the attack. Attackers will use protocols like DNS, CLDAP, and SNMP with their high amplification factor between requests and responses and use multiple reflectors simultaneously making it difficult to pinpoint which attack is causing the most damage
- Use of DDoS-for-hire services - These services make it easy for a cybercriminal to initiate multiple attacks, especially when coupled with volumetric techniques
- Small packet size - Increasingly DDoS attacks are using small packet sizes which helps to avoid detection -- in some attacks the average packet size was under 100 bytes
- Adaptive - DDoS attacks are being modified in multi-stage attacks or in follow-on repeat attacks, for example launching a brute force traffic flooding, that evolves to become volumetric through reflection using botnets for UDP from spoofed legitimate sources, and then changed into targeted attempts to flood specific VoIP APIs
- Coordinated - More than 50 local telecom providers in Brazil experienced attacks in a 1–3-minute window with the bulk of the attacks starting simultaneously, clearly indicating a coordinated attack
Session border controllers can be a formidable tool
Any part of an organizations IT infrastructure can be the target of a DDoS attack, and this includes the servers and services that enable Voice over IP (VoIP) traffic. One important tool that can be used in combatting DDoS attacks on VoIP is the Session Border Controller. Session Border Controllers (SBCs) have long been considered the backbone of secure VoIP networks because of their ability to detect suspicious or anomalous behavior and act in real-time to minimize exposure.
The role of the SBC is to specifically manage Session Initiated Protocol (SIP) and Real-Time Protocol (RTP) that are used for VoIP, video or instant messaging traffic to manage each session, or connection, between networks and maintaining the security and Quality of Service (QoS) of a session, as well as providing additional service internetworking functionality. SBCs deliver enhanced protection against DDoS and other security threats.
What to do about DDoS attacks?
Faced with the mounting threats that DDoS attacks pose to their networks, customers and reputations, what are service providers to do?
Here are four key recommendations for service providers to address potential DDoS attacks in 2022:
- Strengthen interconnect security - Work with IP peers to strengthen security by migrating IP interconnections from UDP to TCP for SIP transport (UDP-based attacks accounted for 44% of all attacks during the first half of 2021.) In addition, implement encryption on IP interconnections using TLS for signaling and SRTP for media. For example, in Microsoft’s Teams Direct Routing and Operator Connect service offers, this type of encryption is mandatory.
- Pay attention to port scan alerts/alarms - DDoS attacks need an opening and port scans are key to find open ports, which should therefore be proactively monitored by an intrusion detection system to alert on significant changes in volume or unusual port scan sources.
- Review and optimize DDoS solution - It’s critical to review your DDoS security procedures and processes currently in place and determine if/how they should be changed to optimize protection and mitigation
- Review and, where needed, optimize SBC solution - DDoS mitigation solution providers typically bundle a Web Application Firewall (WAF) function for Layer 7 security, but VoIP is not a traditional web application, rather it needs an SBC to provide that function. Therefore, it is also important to review the DDoS capabilities of the SBCs that are in place and determine that their configurations are up to date. For example, how recently were Access Control Lists updated and are unusual port scan source addresses populated in the ACLs?
Today, identifying and stopping DDoS attacks has become a necessary part of every service provider’s business strategy. While cybercriminals will continue to try to stay one step ahead of the latest detection tools, service providers can take actionable steps in 2022 and beyond to ensure that they are not only protecting their reputation and brand but also safeguarding their networks, Intellectual Property, their employees, and their interactions with customers and business partners.
