Share |

Massive DDoS attacks a growing problem to VoIP providers

When the massive distributed denial-of-service (DDoS) attack last March brought down the voice-over-IP (VoIP) call processing supplied by TelePacific Communications to many of its customers, it prompted the local-exchange services provider to enhance its security.

The massive DDoS attack resulted in widespread service disruptions for some days in late March and cost the VoIP provider hundreds of thousands of dollars in customer credits. After the attack was over, the facilities-based services provider took measures to boost security and prevent any similar occurrence again, said Don Poe, vice president of TelePacific Communications’ network engineering.

However, Poe noted during a presentation at the 2011 Comptel Plus Conference that the pace of many types of DDoS attacks appears to be increasing and he believes the telecommunications industry is not sharing information about them as well as they might for the common good.

Comptel, the industry trade group for competitive communications services providers along with their suppliers, said it does believe its membership is seeing growth in DDoS attacks and that is why the group scheduled the session panel on the topic that included Poe; Stacy Arruda, a supervisory FBI special agent of the cybercrime division; and Patrick Gray, principal security strategist at Cisco systems.

In telling the DDoS attack against his company's VoIP service, Poe recalled that he did contact the FBI to report the attack, but he later found out that TelePacific simply did not have the event-analysis information that the FBI needed to be able to successfully pursue a criminal case. "We were not prepared," he lamented. "We did not capture enough information." That situation has been resolved with new data-capture systems, he added.

In the aftermath, TelePacific asked a number of firms, including Acme Packet and Arbor Networks, for assistance in security and network analysis.

However after installing Arbor's PeakFlow anti-DDoS equipment, it wouldn’t be the complete solution to the problem because when DDoS attacks are strong enough, PeakFlow can't necessarily stop the worst of them, Poe stated. And to this day, TelePacific is still fighting against denial-of-service attacks, which traffic comes from China and Africa.

FBI agent Arruda reported many cases of network attacks which the FBI works on do appear to involve a financial motive. There have been a few cases that involved instances where a "competitor DDoSed a rival" to make the competitor’s service look bad. But that is unusual. Usually, the goal for the attacker appears to be acquiring information of value through the incident. Arruda urged VoIP service providers to join the local chapter of InfraGard, the FBI's information-sharing organization with the private sector. She said to get to know FBI people and to get their mobile number to call them as soon as something happens.

The IT community does not talk among itself enough about the serious problems occurring in terms of DDoS and other security events, said Gray, the Cisco security strategist. He added the service providers need to remember that they are a target and they need to have a plan in place for this kind of problem.

"DDoS attacks and SYN floods are extraordinarily common nowadays," said Stacy Griggs, senior director at Cbeyond Cloud Services, a division of Cbeyond Communications.

 Griggs said telecom providers in general seem to be reluctant to talk about the problem. In a cynical sense, he even thinks some telecom providers can be seen as sometimes deriving revenue from DDoS floods that hit some customers.

But Griggs pointed out that his own general practice also involves communicating about serious events with about half a dozen colleagues at other firms, including Hosting.com. "If I have a problem coming out of Hosting.com, I'll call them," he said. "We know each other. We call each other."

Regarding security, Arruda said, "The targeted email attack is the easiest method for the bad guys to get into a protected network." Since we live in a world where much information is readily available, attackers are using ways such as combing though public information, including social-networking sites, to find out what they can about corporate employees and their work.